b"             AUTOMATED TRANSPORTATION PAYMENTS\n\n\n\nReport No. D-2001-148                            June 22, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nDFAS                  Defense Finance and Accounting Service\nDISA                  Defense Information System Agency\nDITSCAP               Defense Information Technology Security Certification and\n                         Accreditation Process (DoD Instruction 5200.40)\nFFMIA                 Federal Financial Management Improvement Act of 1996\nGAO                   General Accounting Office\nLOA                   Line of Accounting\nMRM                   Management Reform Memorandum\nOMB                   Office of Management and Budget\nST&E                  Security Test & Evaluation\n\x0c\x0c                          Office of the Inspector General, DoD\nReport No. D-2001-148                                                    June 22, 2001\n (Project No. D1999FI-0080.000)\n\n                        Automated Transportation Payments\n\n                                  Executive Summary\n\nIntroduction. The 1997 Quadrennial Defense Review directed DoD to revolutionize its\nbusiness practices. As a result, the Under Secretary of Defense (Comptroller) issued\nManagement Reform Memorandum No. 15, \xe2\x80\x9cReengineering Defense Transportation\nDocumentation and Financial Processes-Prototype Implementation.\xe2\x80\x9d The reform\nmemorandum required DoD to reengineer and streamline untimely, paper-based, and\nlabor-intensive commercial transportation documentation, billing, collection, and payment\nprocesses. To meet the reengineering goals, DoD announced on March 31, 1999, a\ntransition to the U.S. Bank PowerTrack\xc2\xae service for payment of freight transportation\ncharges. PowerTrack\xc2\xae, an online freight payment and transaction tracking system, is the\ncornerstone of the DoD effort to reengineer transportation payment and accounting\nprocesses. Before the transition to PowerTrack\xc2\xae, DoD annually processed approximately\n1.25 million transportation freight payments totaling approximately $1 billion.\n\nObjectives. The audit objective was to determine whether controls over commercial freight\ntransportation payments processed through PowerTrack\xc2\xae are effective. Specifically, the\naudit determined whether the lines of accounting and management information captured in\nPowerTrack\xc2\xae and the summarized data provided to the Defense Finance and Accounting\nService are sufficient for payment and accounting purposes. We also determined the\nadequacy of controls over certification of PowerTrack\xc2\xae invoices for payment.\n\nResults. The DoD transportation community\xe2\x80\x99s automated transportation process is already a\nmajor improvement from the previous manual process, but additional measures are warranted\nto effectively reengineer transportation freight operations.\n\nAccounting procedures used to process commercial transportation freight payments through\nPowerTrack\xc2\xae needed reengineering. DoD did not optimally streamline its internal procedures\nto attain the objectives of Management Reform Memorandum No. 15 or to take advantage of\nthe automated efficiencies offered by the PowerTrack\xef\x9b\x9a service. Instead, DoD was adapting\nstreamlined automated capabilities to perpetuate less efficient business practices. DoD was\nunnecessarily incurring processing costs and late payment charges, and creating problem\ndisbursements as it attempted to annually distribute $1 billion of transportation costs to\nthousands of lines of accounting. If DoD revises current accounting procedures to use\ncentrally managed open allotments to fund transportation freight payments, it would better\nachieve its reform objectives (finding A).\n\nControls over security and management of the automated transportation payment process\nwere not adequate to safeguard sensitive information or produce reliable data. DoD risks\nexposing data to unauthorized parties and noncompliance with public laws and regulations,\noperating in a business environment with inadequate management controls, and allowing\nTransportation Officers to assume responsibilities and associated liabilities more\nappropriately belonging to the financial community (finding B).\n\x0cSummary of Recommendations. We recommend that the Under Secretary of Defense\n(Comptroller) establish and fund Component-level open allotments for transportation freight,\nretain Certifying Officer responsibilities at the Defense Finance and Accounting Service, and\nrevise the DoD Financial Management Regulation. We recommend that the Under Secretary\nof Defense for Acquisition, Technology, and Logistics appoint an executive agent for\nPowerTrack\xc2\xae operations. We recommend that the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) clarify guidance in regard to system security and\nDesignated Approving Authority responsibilities associated with commercially owned\nelectronic commerce applications. We also recommend that standard contract language be\ndeveloped to address system security in commercially owned electronic commerce\napplications and that the security connection and controls associated with PowerTrack\xc2\xae be\nvalidated. We recommend that the U.S. Transportation Command, establish controls over\nPowerTrack\xc2\xae operations at each transportation office, implement Public Key Infrastructure\nprocedures and update the Defense Transportation Regulations. We recommend that each\nMilitary Component Chief Information Officer incorporate PowerTrack\xc2\xae into base level\nSystem Security Authorization Agreements and operate all mobile code in compliance with\nDoD policy.\n\nManagement Comments. The Department of the Army did not respond to a draft of this\nreport issued February 7, 2001. However, we received comments from the Deputy Chief\nFinancial Officer, Under Secretary of Defense (Comptroller); the Assistant Deputy Under\nSecretary of Defense (Transportation Policy); the Deputy Chief Information Officer,\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence); the\nDepartment of the Navy; and the Department of the Air Force. The Deputy Chief Financial\nOfficer, Under Secretary of Defense (Comptroller) nonconcurred with the recommendation\non simplified accounting, stating that the use of centrally managed open allotments for fund\nmanagement is problematic and prone to misuse. The Assistant Deputy Under Secretary of\nDefense (Transportation Policy) coordinated her response with the U.S. Transportation\nCommand and generally nonconcurred with the recommendations on security, stating that\nPowerTrack\xc2\xae is a commercial application and because DoD has no software rights to this\napplication, DoD system security requirements do not apply. In addition, management\nagreed in principle with those recommendations addressed to the U.S. Transportation\nCommand, but believed that the recommendations should be addressed to the Military\nComponents and Defense agencies. The Deputy Chief Information Officer, Assistant\nSecretary of Defense (Command, Control, Communications, and Intelligence) generally\nconcurred with the recommendations, stating that guidance was available that addressed\nrequirements for the electronic commerce applications and that requirements for electronic\ncommerce applications would be included in a new guidance series being issued. The\nDepartment of the Navy concurred with recommendations, stating that PowerTrack\xc2\xae will be\nincorporated into base level System Security Assessment Agreements and mobile code will\nbe used in accordance with DoD policy. The Department of the Air Force concurred with\nthe recommendation, stating that it will instruct all parties to comply with DoD mobile code\npolicy. See the Management Comments section for the complete text of management\ncomments.\n\nAudit Response. We agree that implementation of PowerTrack\xc2\xae has greatly improved DoD\ntransportation management. Constructively addressing the issues identified by the audit\nwould add to that success. Specifically, our recommendations pertaining to centralized open\nallotments, strengthened controls, and increased information assurance would significantly\nassist DoD in achieving its long-term management improvement goals by reducing cost and\noperational risk in its freight transportation program. We request that the Under Secretary of\nDefense (Comptroller); Under Secretary of Defense for Acquisition, Technology, and\nLogistics; the Department of the Army; and the Department of the Air Force provide\nadditional comments to the final report by August 17, 2001.\n\n\n                                              ii\n\x0cTable of Contents\n\nExecutive Summary                                                             i\n\n\nIntroduction\n     Background                                                               1\n     Objectives                                                               3\n\nFindings\n     A. Accounting for Automated Transportation Payments                      4\n     B. Controls Over Automated Transportation Payments                      14\n\nAppendixes\n     A. Audit Process\n         Scope and Methodology                                               30\n         Management Control Program Review                                   32\n         Prior Coverage                                                      32\n     B. Automated Transportation Payment Process                             34\n     C. Examples of Lines of Accounting                                      36\n     D. Criteria                                                             37\n     E. Report Distribution                                                  40\n\nManagement Comments\n     Under Secretary of Defense (Comptroller)                                43\n     Under Secretary of Defense for Acquisition, Technology, and Logistics   47\n     Assistant Secretary of Defense (Command, Control, Communications\n       and Intelligence)                                                     56\n     Department of the Navy                                                  58\n     Department of the Air Force                                             59\n\x0cBackground\n    The DoD transportation mission involves many transportation communities and\n    assets, services, and systems owned by, contracted for, or controlled by DoD.\n    The entire infrastructure supports the transportation needs of DoD in peace and in\n    wartime. The U.S. Transportation Command serves as the manager of the\n    transportation community and is supported by three Component commands: the\n    Military Traffic Management Command; the Military Sealift Command; and the\n    Air Mobility Command.\n\n    DoD relies heavily on its commercial transport partners to support its mission.\n    Approximately 88 percent of all DoD surface shipments are made by commercial\n    carriers. According to the U.S. Transportation Command, DoD processed\n    approximately $1 billion worth of commercial freight shipments in FY 1999.\n    Table 1 identifies FY 1999 DoD commercial freight costs by mode of\n    transportation.\n\n                Table 1. FY 1999 DoD Commercial Transportation\n                         Freight Costs\n                                                     Amount\n                  Modes of Transportation          (in Millions)\n                Surface                                 $ 693.4\n                  Truck/Barge              $564.5\n                  Fuel pipelines              68.9\n                  Rail                        60.0\n                Sealift                                    193.7\n                Airlift                                      61.9\n                Express Shipments                            75.0\n                 Total                                 $1,024.0\n\n    According to the transportation community, transportation freight costs are\n    expected to decrease from approximately $1 billion to $883 million during\n    FY 2001.\n    Criteria Addressing PowerTrack\xc2\xae Functionality. No formal criteria specifically\n    addresses the security and management control issues associated with electronic\n    commerce applications used but not owned by the Government, such as\n    PowerTrack\xc2\xae. The use of the PowerTrack\xc2\xae service to make transportation freight\n    payments is a new way of doing business for DoD, one that will become more\n    common as DoD moves toward contracting for services based on commercial\n    models. As DoD employs commercial applications, it must establish and\n    implement adequate business rules and safeguards. DoD does not own or maintain\n    the PowerTrack\xc2\xae service. Nevertheless, the PowerTrack\xc2\xae service processes,\n    transmits, stores, and displays DoD information and is an integral part of the\n    transportation freight payment process. Based on PowerTrack\xc2\xae functionality, we\n    consider it to be a DoD system and subject to substantially the same statutory and\n    regulatory guidelines as any other DoD information system.\n\n    Management Reform Memorandum No. 15. The Secretary of Defense 1997\n    \xe2\x80\x9cQuadrennial Defense Review\xe2\x80\x9d directed DoD to revolutionize its business\n    practices. As a result, the Under Secretary of Defense (Comptroller) issued\n\n\n\n                                         1\n\x0c            Management Reform Memorandum (MRM) No. 15 on July 7, 1997. The\n            objective of MRM No. 15 was to reengineer and streamline DoD commercial\n            transportation documentation, billing, collection, and payment processes. The\n            specific reengineering goals included the following:\n\n                    \xe2\x80\xa2    reducing infrastructure costs,\n\n                    \xe2\x80\xa2    eliminating DoD-unique documentation and processes,\n\n                    \xe2\x80\xa2    reducing data requirements,\n\n                    \xe2\x80\xa2    improving data accuracy,\n\n                    \xe2\x80\xa2    developing a single documentation and billing process for all modes of\n                         transportation,\n\n                    \xe2\x80\xa2    employing best commercial practices,\n\n                    \xe2\x80\xa2    maintaining readiness capability, and\n\n                    \xe2\x80\xa2    increasing the use of electronic commerce.\n\n            In an effort to meet the MRM No. 15 objectives, DoD announced on March 31,\n            1999, the conversion to U.S. Bank's PowerTrack\xc2\xae service for the payment of\n            commercial transportation freight charges. The PowerTrack\xc2\xae service provides\n            DoD with a means to completely reengineer transportation documentation,\n            accounting, and payment processes.\n\n            U.S. Bank PowerTrack\xef\x9b\x9a Service. The PowerTrack\xc2\xae service is a commercial\n            on-line freight payment and transaction tracking system developed by U.S. Bank.\n            U.S. Bancorp is the holding company for PowerTrack\xc2\xae and owns the registered\n            PowerTrack\xc2\xae trademark. The PowerTrack\xc2\xae service provides carriers and DoD\n            shippers (Transportation Officers) with on-line access to shipment data; matches\n            freight bills of lading and corresponding invoices; processes payments to carriers;\n            and provides relatively real-time analytical reporting tools. The PowerTrack\xc2\xae\n            service was intended to electronically interface with DoD accounting systems. In\n            addition, PowerTrack\xc2\xae stores DoD transportation data and reduces the need to\n            maintain DoD-unique documentation.\n\n            Automated Transportation Payments. Although used exclusively for\n            transportation freight shipments, the automated transportation payments\n            processed through the PowerTrack\xc2\xae service are similar to credit card\n            transactions. Commercial carriers enter an agreement1 with U.S. Bank. Each\n            DoD transportation office has an account with U.S. Bank and will process its\n            transportation freight payments through PowerTrack\xc2\xae. Each month,\n            PowerTrack\xc2\xae generates an invoice for each DoD transportation office and\n            summarizes the shipments by DoD funding account or line of accounting (LOA).\n            See Appendix B for a flowchart of the DoD automated transportation payment\n            process.\n\n1\n    U.S. Bank pays the carrier for delivery of freight shipments and assesses a processing fee of between 1 and\n    2 percent of the transportation cost.\n\n\n\n                                                         2\n\x0c    DoD began processing payments through PowerTrack\xc2\xae as a prototype in\n    April 1998 for surface transportation and later began adding transportation modes.\n    Thus, the initial focus of this audit was centered on surface, or specifically, truck\n    carriers. As of August 25, 2000, 360 (68 percent) of 532 DoD shipping sites and\n    282 commercial carriers were using PowerTrack\xc2\xae. Subsequent to the completion\n    of audit fieldwork, the Assistant Deputy Under Secretary of Defense\n    (Transportation Policy) reported that 158 additional DoD shipping sites and\n    67 commercial carriers were using PowerTrack\xc2\xae. The additional sites were not\n    verified by audit.\n\n    Automatic Carrier Payment Approval. PowerTrack\xc2\xae has an automatic carrier\n    payment approval tool (AutoApproval). The AutoApproval tool approves each\n    shipment that meets predefined parameters for carrier payments. Shipments\n    meeting these parameters will be automatically approved for payment and will not\n    require the transportation office to initiate on-line manual approval for individual\n    transactions. The goal is to have 95 percent of all carrier invoices approved and\n    paid through AutoApproval within 3 days of receipt.\n\nObjectives\n    The audit objective was to determine whether controls over the commercial freight\n    transportation payments processed through PowerTrack\xc2\xae are effective.\n    Specifically, the audit determined whether the LOAs and management information\n    captured in PowerTrack\xc2\xae and the summarized data provided to the Defense\n    Finance and Accounting Service (DFAS) were sufficient for payment and\n    accounting purposes. We also determined the adequacy of controls over the\n    certification of PowerTrack\xc2\xae invoices. See Appendix A for a discussion of the\n    scope, methodology, management controls, and prior coverage of the audit\n    objectives.\n\n\n\n\n                                          3\n\x0c           A. Accounting for Automated\n              Transportation Payments\n           Accounting procedures used to process automated transportation freight\n           payments need further reengineering to achieve optimal benefits from the\n           PowerTrack\xc2\xae initiative. DoD did not sufficiently streamline its internal\n           procedures to attain the objectives of MRM No. 15 or to take advantage of\n           the automated efficiencies offered by the PowerTrack\xc2\xae service. Instead,\n           DoD was adapting streamlined automated capabilities to perpetuate less\n           efficient business practices. As a result, DoD was unnecessarily incurring\n           processing costs and late payment charges and creating unmatched\n           disbursements as it attempted to annually manage $1 billion of\n           transportation costs in over 13,000 lines of accounting (LOA).\n\nReengineering Effort\n    The DoD transportation community is undertaking significant measures to\n    reengineer transportation freight operations. We support their efforts as they\n    strive to meet this challenge. Transportation freight payments have long been an\n    area of concern within DoD. Before the Under Secretary of Defense\n    (Comptroller) issued MRM No. 15, transportation freight practices were outdated,\n    cumbersome, costly, and incapable of producing reliable management\n    information. We believe that the current reengineering effort is proceeding in the\n    right direction. From an operations perspective, it has produced significant\n    results, reducing the time required to pay carrier invoices from an average of\n    60 days to 3 days, and increasing visibility of transactions at all levels. However,\n    DoD needs to adopt commercial internal management and accounting practices to\n    fully achieve its goal and realize the benefits of revolutionizing transportation\n    freight operations.\n\nAccounting Procedures\n    Although a step in the right direction, the reengineering efforts of DoD did not do\n    enough to keep transportation funds management and accounting procedures from\n    being paper-burdened and labor-intensive. Current legislation and Office of\n    Management and Budget (OMB) guidance supports simplified funds control.\n    However, DoD continued to use cumbersome and costly accounting and\n    management practices that generated thousands of LOA to track its transportation\n    freight costs. DoD was unable to effectively capture consistent and reliable\n    management information through its LOA. Maintaining accurate and valid LOA\n    remains a challenge for DoD.\n\n    Fund Control. Section 1514, title 31, United States Code, \xe2\x80\x9cAdministrative\n    Division of Apportionments,\xe2\x80\x9d stipulates that agencies should have simplified\n    systems for administratively dividing appropriations at the highest possible level. In\n    addition, OMB Circular No. A-34, \xe2\x80\x9cBudget Justification,\xe2\x80\x9d Section 21.3, \xe2\x80\x9cFund\n    Control,\xe2\x80\x9d recommends that responsibility for budget control be placed at the highest\n    organizational level that is consistent with effective and efficient management and\n    control. Instead, Military Departments and Defense agencies allotted transportation\n    freight funding to the lowest organizational level. These procedures were\n\n\n                                          4\n\x0c           counterproductive. To achieve optimum efficiency and effectiveness, DoD should\n           restrict the administrative division of transportation funds to the highest possible\n           level.\n\n           Use of Lines of Accounting. The Department\xe2\x80\x99s use of LOAs was predicated on\n           its administrative division of funds, user needs, and reporting requirements. For\n           example, management created thousands of unique LOAs to track the division of\n           funds and provide detailed management data such as the mode of transportation.\n           New LOAs were created daily when bill of lading numbers were included or\n           transportation costs were tracked to a specific project, sub-project, or job order\n           number. The transportation and accounting communities were unable to\n           determine the precise number of LOAs but estimated that over 13,000 were used\n           to process approximately $1 billion in transportation freight costs each year.\n\n           Cost of Current Accounting Practices. Benefits derived from existing accounting\n           practices did not warrant the cost incurred to verify the accuracy and validity of the\n           thousands of unnecessarily detailed LOAs being processed. Transportation of\n           Things2 object class represents approximately 1 percent of the DoD-wide budget.\n           Yet in FY 1999, we estimated that DoD activities paid approximately $18.1 million\n           to process approximately 1.25 million transportation freight payments, or $14.14\n           per payment. In addition, DoD incurred late payment charges while attempting to\n           fund and validate the LOAs and to reconcile the payments. From February 1999\n           through May 2000, DoD used 8,468 unique LOAs to process 1.3 million shipments\n           costing $149 million through PowerTrack\xc2\xae. Ninety percent of the transactions\n           processed used less than 1 percent (69 of 8,468) of the LOAs. DFAS was only able\n           to validate 2,270 LOAs, or approximately 27 percent. The remaining 73 percent of\n           the LOAs were inadequate to effect payment and required reconciliation. To ensure\n           accuracy and reliability, the LOAs need to be simplified. We were unable to\n           identify the value added by maintaining inaccurate and invalid LOAs to manage the\n           Department\xe2\x80\x99s transportation funds. See Appendix C for examples of DoD use of\n           transportation LOAs.\n\nStreamlining Effort\n           The DoD did not optimally streamline transportation freight management and\n           accounting procedures to attain the objectives of MRM No. 15 or to take\n           advantage of the automated efficiencies that the PowerTrack\xc2\xae service offered.\n           DoD did not effectively reduce the number of LOAs, which resulted in the need\n           to use alternate LOAs and develop and maintain up-front LOA conversion tables\n           to meet payment and accounting requirements. The reengineered procedures\n           accommodated and perpetuated inefficient accounting procedures.\n\n           Request to Reduce the Number of LOAs. To facilitate the flow of accurate\n           accounting data, the Deputy Secretary of Defense directed the Services and the\n           Defense Logistics Agency to reduce the number of transportation LOAs used\n           and to report the status of their efforts by June 30, 2000. As previously\n           discussed, the precise number of LOAs being used for processing transportation\n           freight transactions was unknown. The response to the Deputy Secretary of\n           Defense request was mixed.\n2\n    Object Classes are categories in a classification system that represents obligations incurred by the Federal\n    Government. The \xe2\x80\x9cTransportation of Things\xe2\x80\x9d object class are those obligations incurred from goods and\n    services associated with the transporting and care of things, including animals.\n\n\n                                                         5\n\x0c       Army Response. Although the Army response indicated that it reduced\nthe number of element of resource codes used, it did not actually reduce the\nnumber of LOAs. The element of resource code identifies the mode of\ntransportation in the LOA. Because, the Army frequently includes the bill of\nlading number in its LOA, a unique LOA is created with each bill of lading\nprocessed. The Army did not identify how many LOAs it previously used or if\nany LOAs were reduced by its efforts.\n\n       Navy Response. The Navy responded that it had already reduced the\nnumber of LOAs as much as possible. The Navy uses 16 LOAs for its centrally\nmanaged transportation, which represents 72 percent of its transportation cost. It\nuses an additional 674 LOAs for its remaining 28 percent of transportation costs\nthat were supported by decentralized funds. The Navy continued to use\nTransportation Account Codes to provide detailed information about its shipments.\n\n         Air Force Response. The Air Force reduced its transportation element of\nexpense or investment code, which identifies the mode of transportation used. The\nAir Force was not able to specify how many LOAs it previously used but estimated\nthat it reduced the number of LOAs to between 2,000 and 3,000 for transportation\nfreight shipments.\n\n       Defense Logistics Agency Response. Prior to the tasking by the Deputy\nSecretary of Defense, the Defense Logistics Agency, Defense Distribution Center,\nhad reduced its transportation freight LOAs from 150 to 29.\n\nThe Under Secretary of Defense (Comptroller) officials recognized that sufficient\nprogress had not been made by the Components and believed that additional time\nwas needed to allow implementation of the process change. The Under Secretary\nof Defense (Comptroller) needs to ensure that the requirement to reduce the\nnumber of transportation LOAs is met.\n\nPowerTrack\xc2\xae Efficiencies. The DoD reengineering effort did not take full\nadvantage of the automated efficiencies achievable with the PowerTrack\xc2\xae service.\nProcessing responsibilities were shifted from DFAS to the Transportation Officer,\nFunds Manager, and the PowerTrack\xc2\xae service. PowerTrack\xc2\xae automates carrier\npayments, aggregates them by LOA, and electronically bills DoD by aggregated\nLOA. DFAS then reimburses U.S. Bank. DFAS projects that it would reduce\nthe number of payments processed from 1.25 million to 108,000 annually. Based\non DFAS FY 2001 billing rates, the Components would decrease its processing\ncosts for transportation freight invoices by approximately $34 million that is\nattributable to aggregating the LOA for payment. See Table 2 below.\n\n    Table 2. Comparison of Invoice Processing Costs Incurred\n\n                                        Projected      Billing Rate    Processing\n                                        FY 2001             per           Costs\n        Transaction                     Payments        Payment*        Incurred\n    Individual bills (GBLs)            1,250,000         $28.78       $35,975,000\n    Aggregated bills through\n      PowerTrack\xc2\xae (CBLs)             108,000             $17.88         1,931,040\n     Projected Annual Cost Reduction                                  $34,043,960\n\n    * The rate represents the amount DFAS will bill its customers to process the\n    invoice. The DFAS billing rate includes its costs to certify the invoice and\n    reconcile problem disbursements in addition to invoice payment.\n\n\n                                           6\n\x0cThe cost reduction estimate is misleading because what DoD has effectively done is\nshift a major portion of the DFAS processing responsibilities and processing cost to\nother DoD offices that must continue to reconcile and account for the 1.25 million\nindividual transactions processed. In PowerTrack, the Transportation Officer takes on\nadditional payment responsibilities, such as, approve carrier invoice for payment,\nreconcile the individual shipments to a monthly U.S. Bank invoice, and certify the\ninvoice for payment. These functions were all previously performed by DFAS and\nmay require a Transportation Officer (that is, Certifying Officer) to interface with\nindividual Funds Managers and Service representatives because access to financial\ndata is needed. Therefore, the projected cost reduction associated with processing the\nPowerTrack\xc2\xae aggregate billings may only be realized at the DFAS payment level.\nThe processing costs will continue, if not escalate, at the individual transaction level\nbecause with the current inefficient accounting procedures, several DoD offices are\nneeded to support the automated transportation payment process. The Assistant\nDeputy Under Secretary of Defense (Transportation Policy) believes that the\nadditional efficiencies or improved management information obtained through\nPowerTrack\xc2\xae has other cost benefits associated with it. Although not quantifiable,\nthese benefits should also be considered when computing the expected cost reduction\nassociated with PowerTrack\xc2\xae.\n\n        Transportation Officer Responsibilities for Processing Bills Through\nPowerTrack\xc2\xae. Under reengineered transportation freight payment procedures, the\nTransportation Officer will perform several functions previously performed by DFAS.\nCurrently, the Transportation Officer individually reviews the carrier invoices in\nPowerTrack\xc2\xae and approves invoices for payment, after which U.S. Bank electronically\npays the carrier invoices. When AutoApproval procedures are fully implemented, the\nDoD goal is to have 95 percent of all carrier payment transactions approved and paid\nthrough AutoApproval procedures within 3 days. AutoApproval procedures allow\ncarrier invoices to be automatically paid by U.S. Bank without prior review or\napproval by the Transportation Officer. In both scenarios, PowerTrack\xc2\xae generates an\nelectronic monthly billing statement containing paid carrier invoices aggregated by\nLOA. The Transportation Officer will retrieve the monthly billing statement in\nPowerTrack\xc2\xae and certify the statement that both shipments and LOAs are valid and\nappropriate for payment.\n\nEnsure Accurate Billing Statements. To ensure that the billing statement is\ncorrect, the Transportation Officer manually reconciles the individual shipments to\nthe monthly billing statement and attempts to reconcile and validate each LOA\nbefore forwarding the certified monthly billing statement to DFAS for payment.\nAt DFAS Indianapolis, the individual shipping documents were also required for\npayment to supplement the certified monthly billing statement because the certified\nmonthly billing statement could not be reconciled with the detailed PowerTrack\xc2\xae\nstatement. Subsequent to the audit, DFAS Indianapolis stated that PowerTrack\xc2\xae\nhad been upgraded to support the reconciliation of monthly statement and that\nindividual shipping documents were not required for proper payment. In addition,\nDFAS did not have appropriate appointment letters and signature cards on file as\nrequired by DoD Financial Management Regulations.\n\nTransportation Officer Certification Responsibilities. Under PowerTrack\xc2\xae\nreengineered transportation freight payment procedures, Transportation Officers\nare required to certify the monthly billing statements. The certification process\nwas previously done by DFAS and required reconciliation and validation of LOAs\nto verify that the billing statement was correct. We reviewed 19 monthly billing\nstatements containing approximately 10,000 shipping documents and approximately\n\n                                      7\n\x0c400 LOAs. Over a quarter of the LOAs processed required corrections before\ncertification. The certification process is time consuming and complex. For\nexample, each monthly billing statement contains a summary statement and a\ndetailed billing statement. The summary statement provides the cumulative total\ncosts associated with each LOA. The detailed billing statement is organized\nchronologically by carrier paid date and provides details of each individual\nshipment processed. Those two documents do not provide enough information to\nvalidate and reconcile the monthly billing statement. Thus, the Funds Manager\nReport and individual shipping documents are also needed. Several Certifying\nOfficers interviewed were not aware of the Funds Manager Report and thus did not\nuse it as a reconciliation tool. Validating and reconciling the LOA on the monthly\nbilling statement to the individual shipping documents are an administrative\nburden. Subsequent to our field work, upgrades were made to PowerTrack\xc2\xae to\nfacilitate the reconciliation process.\n\nCertification of Other DoD Components' Funds. Additional problems arose when\nthe transportation office attempted to certify shipments funded by another DoD\nComponent. Some Transportation Offices only certified the LOAs that belonged to\ntheir installation while other Transportation Offices certified the entire monthly\nbilling statement without ensuring the validity of the LOAs processed for others.\nBoth processes resulted in a backlog of unpaid billing statements and associated late\npayment charges. The short-term solution was to establish alternate LOAs to use for\npayment purposes. The alternate LOAs should have expedited the payment of\nmonthly billing statements. However, after payment, the Transportation Officers\nand Funds Managers still needed to reconcile the problem LOAs and distribute\ncharges to the appropriate LOA. The proposed long-term solution was to implement\ncomprehensive front-end edits (automated LOA conversion capability) to preclude\ninvalid LOAs from being processed through PowerTrack\xc2\xae.\n\nLOA Conversion Capability. The DoD attempted to insert an automated LOA\nconversion capability between PowerTrack\xc2\xae and DoD users to provide a standard\nformat and to verify that only accurate and valid LOAs were used to process\nshipments. PowerTrack\xc2\xae functionality did not include an LOA verification because\nit did not need LOAs to pay carriers or to bill DoD for reimbursement. Likewise,\nDoD did not need all of the detailed information in an LOA to comply with fiscal\nrequirements to properly account for and report on its use of transportation funds.\nThe transportation LOA is largely a management information tool. The complex\nand costly effort being undertaken to insert and maintain an LOA conversion\ncapability between DoD users and PowerTrack\xc2\xae is not the appropriate action to\nresolve problem LOAs. The LOA conversion would not resolve the root cause of\nthe payment and accounting problem or simplify appropriations and budget control\nfunctions, it would not alleviate the need to process thousands of LOAs, and it\nwould not reduce the overhead cost being incurred to track and report on less than\none percent of the DoD budget. It would simply add another layer of cost and\ncomplexity to transportation freight operations and prevent DoD from fully\nrealizing the reengineering opportunity at hand.\n\n\n\n\n                                     8\n\x0cCurrent Business Practices\n          The transportation freight operations management and accounting business\n          practices would result in DoD:\n\n                  \xe2\x80\xa2   continuing to incur similar labor costs to process transportation\n                      payments (the revised costs are unknown but estimated at approximately\n                      $35.9 million annually) as before implementation of PowerTrack\xc2\xae,\n\n                  \xe2\x80\xa2   unnecessarily incurring late payment charges, and creating unmatched\n                      disbursements, and\n\n                  \xe2\x80\xa2   increasing the risk of violating public law as it attempts to annually\n                      distribute $1 billion of transportation costs to more than 13,000 LOAs.\n\n          Processing Cost. The DoD strategy for processing transportation freight payments\n          through PowerTrack\xc2\xae was complex and costly. It required training the staff in more\n          than 500 Transportation Offices to execute accounting functions that a staff of DFAS\n          technicians accomplished in the past. The DoD strategy depended on a system of\n          LOAs that could not produce reliable management and accounting data with which to\n          measure program effectiveness or make management decisions. PowerTrack\xc2\xae enabled\n          DoD to reduce the time required to pay carriers (from 60 days to 3 days) and to\n          provide transportation data used in management decisions. Yet DoD was unable to\n          certify and pay U.S. Bank in a timely manner to avoid incurring late payment\n          charges. In FY 2000, DoD had on average $8 million in overdue payments, some\n          more than 165 days old. Unlike private industry, DoD managed and accounted for\n          transportation payments at the lowest possible administrative level rather than as\n          overhead expenses. If the cost to have three organizational entities (the\n          Transportation Offices, Funds Managers, and DFAS) process payments for DoD\n          transportation freight shipments does not exceed the DFAS billing rate, processing\n          one LOA in FY 2001 would cost DoD an estimated $17.88.\n\n          Private Industry. Private industry, on the other hand, largely treats transportation\n          expenses as overhead and allocates them accordingly, resulting in a\n          $3 non-accounting processing cost per shipment.3 If DoD adopted the commercial\n          practice of accounting for transportation costs at the corporate level, it could\n          substantially reduce its costs. Although DoD could continue to incur some\n          unknown non-accounting cost to process the transactions, it could conservatively\n          avoid approximately $34 million in accounting costs and late payment charges per\n          year.\n\n          Late Payment Charges. Invalid and unfunded LOAs hamper the ability of DoD to\n          consistently meet contractual agreements with U.S. Bank to avoid late payment\n          charges. DoD contractually agreed to reimburse U.S. Bank for payments made to\n          carriers on its behalf within 15 days of the date of the invoice or to pay a late\n          payment charge equal to the Prompt Payment Act interest rate (6.75 percent at the\n          time of the audit). From October 1998 through July 2000, it took DoD an average\n          of 46 days to make transportation payments using the PowerTrack\xc2\xae service.\n          Although this represents a 25 percent improvement from the 60-day average needed\n          to pay carriers before using PowerTrack\xc2\xae, it is still only a marginal improvement\n3\n    Coopers & Lybrand L.L.P., Report of the DoD Reengineering Task Forced: Reengineering\n    Transportation Documentation and Financial Processes, 'As Is' Phase, March 1998\n\n\n                                                   9\n\x0cconsidering the prompt payment agreement of 15 days. During the first 9 months of\ncalendar year 2000, DoD incurred approximately $400,000 in late payment charges.\n\n                          (Jan u ary 2000 - S ep temb er 2000)\n\n            $157,681\n\n                       $92,355\n                                 $67,594\n                                                $43,449\n                                                          $16,643   $13,874\n\n               15        45        75        105            135       165\n                                    Days Past Due\n\nFigure 1. Late Payment Charges Incurred on Past Due PowerTrack\xc2\xae Balances\nAlmost 36 percent of the late payments were at least 75 days past due. DoD\nneeds to adopt efficient and effective payment procedures to meet the aggressive\n15 days payment schedule and to avoid late payment charges. Instead, DoD\nplanned to use alternate LOAs as an interim solution to expedite payments.\n\nSubsequent to completion of audit verification efforts, the Assistant Deputy Under\nSecretary of Defense (Transportation Policy) said that payment to U.S. Bank had\nimproved. In August 2000, delinquent monthly billing statements were paid,\nincluding approximately $218,000 of interest. In September and October,\napproximately $30,000 and $55,000 of interest were paid, respectively. The\nAssistant Deputy Under Secretary of Defense (Transportation Policy) was working\nwith DFAS and the Services to reduce the time to make payments. Some of the\nproblems included bad or unfunded LOAs or missing monthly bank statements.\nDFAS began using the alternate LOA for the November 16, 2000, monthly bank\nstatement, which the Assistant Deputy Under Secretary of Defense (Transportation\nPolicy) believes will improve the timeliness of payments.\n\nAlternate Lines of Accounting. The Deputy Secretary of Defense issued a\nmemorandum on May 5, 2000, tasking DoD Components to identify alternate\nLOAs and obligate sufficient funds to process transportation freight payments.\nDoD intended to fund and use the LOAs to process problem disbursements\ninvolving invalid or unfunded LOAs. The intent was to use the alternate LOAs to\nexpedite the payment process, not to reengineer it. The Assistant Deputy Under\nSecretary of Defense (Transportation Policy) reported that each Service had\nestablished alternate LOAs.\n\n        Use of Alternate LOA. According to the Deputy Secretary\xe2\x80\x99s\nmemorandum, when an inaccurate LOA is not corrected within 2 days, DFAS is to\npay the invoice citing the respective DoD Component alternate LOA. The\ntransaction would then be treated similarly to an unmatched disbursement. The\nDoD Component is responsible for liquidating the alternate LOA by identifying and\ntransferring the cost to the correct LOA. If the LOA was not sufficiently funded,\nthe Funds Manager would obligate the needed funds. In a subsequent\nmemorandum issued December 11, 2000, the number of days allowed before an\nalternate LOA is assigned was increased from 2 days to 3 days in an attempt to\nreduce the amount of rework needed to reassign the alternate LOA.\n\n        Risks of Alternate LOA. At least two risks are envisioned with the use of\nalternate LOAs. If an obligation is created when the shipment occurs, and another\n\n\n                                           10\n\x0c    is used to pay for the shipment, DoD will have effectively created a dual obligation\n    for the transaction, which does not support funds management goals. On the other\n    hand, incurring a liability without an accompanying obligation risks violating\n    public law. Although we fully support the use of corporate-level LOAs for\n    transportation freight budget and accounting purposes, the proposed method of\n    using alternate LOAs is not the optimum solution to problem disbursements.\n\n    Problem Disbursements. Problem disbursements are a growing concern for the\n    transportation community. Of the LOAs submitted to DFAS in July 2000,\n    45 percent were inadequate to effect payment. When DFAS cites alternate LOAs\n    to pay transportation charges, the Transportation Officer is supposed to treat them\n    as problem disbursements and reconcile them with original obligations, which is an\n    unrealistic expectation. Even if Transportation Officers could have reconciled their\n    own transactions, they did not have access to obligations for shipments they\n    processed for other entities; therefore, they could not verify the accuracy of those\n    LOAs. In addition, the Prompt Payment Act, funds management, and accounting\n    were not core Transportation Officer functions or priorities. Furthermore, neither\n    Transportation Officers nor Funds Managers have visibility over inaccurate LOAs.\n    These assessments were evident in the 45 percent error rate of LOAs submitted to\n    DFAS for payment after attempted verification by the transportation community.\n    Even with the pressure to pay billing statements or incur late payment charges, it\n    was taking DoD an average of 46 days to pay U.S. Bank.\n\n    Reconciling Problem Disbursements. We believe that reconciling problem\n    disbursements would be less urgent after U.S. Bank has been paid. As a result, the\n    number of unresolved problem disbursements will increase. In addition,\n    transportation freight payment procedures did not accomplish prevalidation\n    objectives and significantly increased the risk of pecuniary liability for the\n    Transportation Officer who certified the invoice.\n\n    Prevalidation Requirements. Transportation freight payment procedures did not\n    accomplish the DoD prevalidation objectives established in response to Section 8137\n    of Public Law 103-335, \xe2\x80\x9cDoD Appropriations Act 1995.\xe2\x80\x9d The Act requires DoD to\n    develop and implement a plan to match disbursements to corresponding obligations.\n    DoD plans called for accomplishing this at the zero dollar threshold for all\n    disbursements, except contract payments made by the DFAS Columbus. Although\n    DFAS was attempting to comply with the DoD prevalidation initiative, it was\n    frequently unable to do so because of pervasive accounting errors. In FY 2000, DoD\n    maintained a monthly average of $8 million of transportation payments that were past\n    due because of obligation and accounting data problems. As the number of\n    transactions processed through PowerTrack\xc2\xae increases, DFAS would be forced to pay\n    transportation payments without prevalidating them or incur increasing late payment\n    charges. Such payments will result in an increased number of problem disbursements.\n\nCorporate Approach\n    Centrally managed LOAs are essential to successfully reengineering transportation\n    freight operations. Best commercial practices support treating transportation as a\n    corporate expense for accounting purposes. MRM No. 15 challenged managers to\n    update and restructure business practices consistent with statutory and technological\n    constraints. DoD has taken sweeping steps to automate transportation freight\n    payments. However, the complexity of the current approach to account for those\n    payments creates an undue administrative burden on the transportation community\n\n                                         11\n\x0c    and denies DoD the optimum benefits of reengineering. We believe that DoD is\n    pursuing the right course in establishing alternate LOAs to process transportation\n    payments for problem disbursements. However, we do not believe that the\n    alternate LOAs should be the exception and reserved only for problem\n    disbursements. The DoD Components should establish centrally managed open\n    allotments for all DoD transportation freight payments.\n\n    Use of Centrally Managed Open Allotments. The use of centrally managed open\n    allotments with operating targets at the Department level would enable DoD to\n    minimize its growing number of problem disbursements, eliminate late payment\n    charges, prevent potential violations of public law, produce reliable metrics to\n    measure program effectiveness, and eliminate costly detailed management and\n    accounting procedures. Recent congressional testimony also identified the need for\n    DoD to simplify its data documentation requirements to take advantage of\n    electronic commerce with commercial systems. The use of open allotments will\n    make possible the seamless, paperless process for paying transportation freight bills\n    through vendor pay systems that DoD is trying to achieve.\n\nSummary\n    The ongoing transportation reengineering effort provides a significant opportunity\n    for DoD to avoid unnecessary administrative burdens associated with transportation\n    freight shipments and avoid additional cost and to produce meaningful metrics with\n    which to measure program effectiveness. PowerTrack\xc2\xae, the cornerstone of the\n    DoD reengineering effort, is automating and expediting vendor payments, but\n    internal DoD business practices are negating those benefits. By using an up-front\n    LOA conversion system without further reengineering its business practice, DoD\n    would be perpetuating inefficiencies that will result in additional processing costs,\n    unnecessary late payment charges, and unmatched disbursements. The transition to\n    automated carrier payments was a step in the right direction, but relying on\n    PowerTrack\xc2\xae alone falls short of reengineering DoD transportation payment\n    processes. Centrally managed open allotments with targets at the operating level,\n    coupled with the automated carrier payment service, would provide DoD with an\n    electronic commerce capability that attains the objectives of MRM No. 15 and\n    realizes the optimal benefits of reengineering.\n\nRecommendation, Management Comments, and Audit Response\n    A. We recommend that the Under Secretary of Defense (Comptroller) require\n    the Defense Components to establish and fund open transportation allotments\n    for budget and accounting purposes, and limit transportation lines of\n    accounting to the Defense Component level to avoid late payment charges and\n    problem disbursements and support the DoD prevalidation initiative.\n\n    Management Comments. The Deputy Chief Financial Officer, Under Secretary\n    of Defense (Comptroller) nonconcurred with the recommendation and stated that\n    the use of open allotments are problematic and prone to misuse because the\n    managers using the funds are not responsible for programming and budgeting the\n    funds. Transportation costs are accumulated by high volume, low dollar value\n    transactions and are better managed by those organizations that incur the costs. In\n    May 2000, the Under Secretary of Defense (Comptroller) required the DoD\n    Components to establish alternate lines of accounting. The LOA is used to convey\n\n                                         12\n\x0cmanagement information to the Components Funds Manager and it was not\nunreasonable to allow additional time for the Components to change business\nprocesses before significant reductions in the number of LOAs could be expected.\n\nAudit Response. Deputy Chief Financial Officer, Under Secretary of Defense\n(Comptroller) comments were nonresponsive. The current organization structure\neffectively segregates duties and supervision with respect to rating shipments. If\nopen allotments were prone to misuse as stated, the DoD should revise its current\npractices for managing billions of dollars in appropriations. For example, the DoD\nopen allotments for military pay are valued at about $73 billion in contrast to the\n$1 billion in transportation payments processed through PowerTrack. Currently,\nthe Army manages its overseas shipments through the open allotment process.\n\nIn most situations, the transportation office is responsible for processing, not for\nrating the shipments or programming or budgeting the funds associated with the\nshipments. The transportation office is a support function, independent of the\nprogram and Funds Manager. The current fund management practice does not\nprovide effective controls for promptly recording, properly accounting, and\naccurately preparing reliable financial and management reports.\nSeventy-three percent of the LOAs processed during a 14-month period reviewed\nwere inadequate to effect payment and required reconciliation. The\nimplementation of PowerTrack\xc2\xae has improved the Department\xe2\x80\x99s response time to\npay the carrier but marginal improvement has been shown in completing the\ntransaction and obtaining complete and accurate accounting and management cost\ninformation. Where alternate LOAs are now used, their monthly volume has\nincreased and represents problem disbursements that must be either researched and\nreworked or left to stand as duplicate obligations. This effectively then becomes a\ntransportation open allotment, by default.\n\nManagement comments also imply that the Transportation Officers will not act in\nthe best interest of the Department. The Transportation Officer\xe2\x80\x99s main\nresponsibility is to ensure that the shipment is transported effectively and\nefficiently. The majority of surface freight shipment rates are not set by the\nTransportation Officer but are negotiated and contracted by the Military Traffic\nManagement Command. The Transportation Officer should not be encumbered by\noverly complex accounting requirements. By using open transportation allotments\nand limiting transportation LOAs, transportation costs can be managed effectively\nand efficiently as overhead, processing costs can be reduced, and management cost\ndata can be captured through PowerTrack\xc2\xae.\n\nThe Deputy Chief Financial Officer, Under Secretary of Defense (Comptroller)\nbelieves that \xe2\x80\x9ca reasonable amount of time must be allowed to implement the\nnecessary process changes\xe2\x80\x9d before alternative actions are appropriate. Over a year\nhas passed since the Deputy Secretary of Defense requested a reduction of LOAs\nand minimal change has occurred. The Under Secretary of Defense (Comptroller)\nhas yet to assume a leadership role by analyzing required LOAs, clearly defining\nreduction targets, and initiating corrective actions where progress is not apparent.\nFurther, the Deputy Chief Financial Officer, Under Secretary of Defense\n(Comptroller) also declined to specify how many years delay is reasonable before\npositive corrective actions should be taken. Therefore, we request the Under\nSecretary of Defense (Comptroller) reconsider the recommendation and provide\nadditional comments to this report.\n\n\n\n                                     13\n\x0c           B. Controls Over Automated Transportation\n              Payments\n           Although the automated transportation payment process is an improvement\n           over the manual process, controls over these automated transportation\n           payments were not adequate to safeguard sensitive financial information or\n           to ensure production of reliable data. DoD had not fully assessed system\n           risks, resolved system vulnerabilities, and included basic internal controls in\n           the automated payment process. As a result, DoD reengineering efforts\n           contain high risk of exposing sensitive financial data to unauthorized\n           parties, risk noncompliance with public laws and regulations, promote\n           operating in a business environment lacking strong management controls,\n           and require Transportation Officers to assume responsibilities and\n           associated liabilities more appropriately belonging to the financial\n           community.\n\nControls\n    General Accounting Office (GAO) Publication, GAO/AIMD-00-21.3.1, \xe2\x80\x9cStandards\n    for Internal Control in the Federal Government,\xe2\x80\x9d November 1999, provides the\n    framework for obtaining reasonable assurance that operations are effective and\n    efficient, produce reliable data, and comply with applicable laws and regulations.\n    These standards are based, in part, on section 3512, title 31, United States Code\n    (31 U.S.C. 3512), and the Computer Security Act of 1987, as well as OMB and DoD\n    implementing regulations. The controls specified in the standards are the policies and\n    procedures that enforce management\xe2\x80\x99s directives. These controls are critical to\n    ensuring the integrity and reliability of data used by financial managers and relied on\n    for the preparation of DoD financial statements and reports. Critical fundamental\n    controls include identifying, analyzing, and managing relevant operational risks,\n    segregation of duties, and restrictions to and accountability for resources and records.\n\n    Effectiveness of Controls. DoD had not established an effective system of\n    management controls over its transportation freight payment process.\n    PowerTrack\xc2\xae was integrated into the transportation payment process without a\n    system accreditation. System vulnerabilities and risks had not been fully identified\n    or assessed. PowerTrack\xc2\xae was also being incorporated into the DoD transportation\n    payment process without full consideration of the overarching DoD architecture.\n    Responsibility for the implementation and operation of the automated payment\n    process was not clearly delegated or coordinated. As a result, DoD was processing\n    its transportation freight payments through PowerTrack\xc2\xae without adequate system\n    and management control measures to ensure that sensitive data and DoD financial\n    management systems were safeguarded and that the system produced reliable data\n    for financial statement reporting. The Federal Financial Management Improvement\n    Act of 1996 (FFMIA) mandates that financial management systems comply\n    substantially with financial management system requirements, Federal accounting\n    standards, and the United States Government Standard General Ledger at the\n    transaction level. A brief synopsis of the criteria is available in Appendix D.\n\n    Financial Management Systems Security Requirements. DoD Directive 5200.28,\n    \xe2\x80\x9cSecurity Requirements for Automated Information Systems,\xe2\x80\x9d March 21, 1988,\n    implements the requirements of OMB Circular No. A-130, \xe2\x80\x9cManagement of Federal\n\n\n                                         14\n\x0cInformation Resources.\xe2\x80\x9d The established criteria require that the automated\ninformation systems safeguard information against tampering, loss, and destruction.\nAutomated information systems are defined as an assembly of computer hardware,\nsoftware, firmware, or some combination of the three, configured to collect, create,\ncommunicate, compute, disseminate, process, store, or control data or information\nand includes application and operating system software. The DoD Directive states\nthat the Head of each Component shall assign official(s) as the Designated\nApproving Authority responsible for accrediting each automated information system\nand for ensuring compliance with automated information systems security\nrequirements. The accreditation is the formal approval given by the Designated\nApproving Authority to operate the system. DoD Instruction 5200.40, \xe2\x80\x9cDoD\nInformation Technology Security Certification and Accreditation Process,\xe2\x80\x9d\nimplements the security requirements identified in Public Law 100-235, \xe2\x80\x9cComputer\nSecurity Act of 1987,\xe2\x80\x9d OMB Circular No. A-130, and DoD Directive 5200.28. It\nprescribes procedures for the certification and accreditation process.\n\nMobile Code Policy Guidance. The Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) issued policy guidance for the use of\nmobile code technologies in DoD information systems on November 7, 2000. The\ndraft guidance had been available since December 13, 1999. The policy applies to\nall DoD information systems used to process, transmit, store, or display DoD\ninformation and specifically includes commercial off-the-shelf software and\nelectronic commerce applications used but not owned by the Government. Mobile\ncode (that is, ActiveX) is software transferred across a network from a remote\nsystem (that is, PowerTrack\xc2\xae) executed on a local system (that is, Transportation\nOfficers\xe2\x80\x99 computers). The execution of mobile code is done without explicit\napproval or knowledge by the recipient. The policy defines ActiveX as \xe2\x80\x9cCategory\nOne\xe2\x80\x9d mobile code. Category One mobile code technologies pose a severe threat\nto DoD operations because they allow unmitigated access to all resources on the\nrecipient's workstation, host, and remote system services and resources. The\npolicy states that Category One mobile code is to be used in DoD information\nsystems only when the mobile code is signed by a DoD-approved Public Key\nInfrastructure code-signing certificate and obtained from a trusted source. Until a\nDoD-approved Public Key Infrastructure code-signing certificate is available, the\nChief Information Officer may approve alternate commercially available\ncode-signing certificates. Therefore, we believe that DoD needs to:\n\n       \xe2\x80\xa2   disable the downloading and execution of all mobile code on DoD local\n           systems that is not operating in accordance with DoD policy, and\n\n       \xe2\x80\xa2   ensure that ActiveX mobile code used in PowerTrack\xc2\xae is replaced with\n           mobile code that is in accordance with DoD policy.\n\nResults of Defense Information System Agency Security Test and Evaluation\nReview. In the early stages of PowerTrack\xc2\xae implementation, the MRM No. 15\nProgram Management Office asked the Defense Information System Agency (DISA)\nto conduct a Security Test and Evaluation (ST&E) of the PowerTrack\xc2\xae client and\nend-user application controls to identify associated security features and risks. The\nST&E is one of eight tasks within the DoD Instruction 5200.40, \xe2\x80\x9cDoD Information\nTechnology Security Certification and Accreditation Process\xe2\x80\x9d (DITSCAP), validation\nphase used to certify the integration and operation of system security features. On\nJanuary 31, 2000, DISA issued the results of its ST&E, and could not give\nPowerTrack\xc2\xae an approval to operate within DoD because of major concerns\n\n\n                                     15\n\x0cuncovered during the ST&E. The DISA ST&E identified 18 security vulnerabilities\nand raised 8 significant issues for management attention. Because the ST&E is only\na part of the system security assessment, DISA also recommended that a complete\nsystem security assessment be conducted including the testing of PowerTrack's\xc2\xae\ninfrastructure and servers or evidence that such testing was conducted. DISA\nidentified the following security issues during its ST&E review.\n\n       \xe2\x80\xa2   ActiveX Mobile Code. PowerTrack\xc2\xae uses ActiveX technology that has\n           been identified by DoD as a risk Category One. According to DISA,\n           Category One technologies have known security vulnerabilities with few\n           or no countermeasures once the mobile code begins executing. ActiveX\n           mobile code has the potential to severely degrade DoD systems. The\n           high risk of using Category One technologies outweighs all possible\n           gains. The May 11, 2000, Under Secretary of Defense for Acquisition,\n           Technology, and Logistics memorandum, states that U.S. Bank was\n           going to remove ActiveX mobile code from PowerTrack\xc2\xae by\n           December 2000. In response, the Assistant Secretary of Defense\n           (Command, Control, Communications, and Intelligence) issued a waiver\n           allowing the use of ActiveX mobile code to process transportation\n           freight payment transactions. As of January 2001, ActiveX continues to\n           operate through PowerTrack\xc2\xae in DoD systems.\n\n       \xe2\x80\xa2   Windows 95 and Windows 98 platforms. DISA did not recommend\n           using PowerTrack\xef\x9b\x9a with Windows 95 or Windows 98 platforms because\n           of their inherent security weaknesses. The identity of each user\n           authorized access to PowerTrack\xc2\xae should be established positively\n           before authorizing access. Windows 95 and Windows 98 access\n           controls can be easily bypassed. Although these weaknesses may be\n           mitigated by procedural and personnel access controls, in combination\n           with other weaknesses, the use of Windows 95 and Windows 98\n           platforms pose sufficient concerns so that DISA recommended these\n           platforms not be used.\n\n       \xe2\x80\xa2   User Identifications and Passwords. DISA reported that the history\n           mechanism of Internet Explorer 5.0 (used with PowerTrack\xc2\xae) stores\n           unencrypted user identification and passwords on the user's personal\n           computer where it can be accessed and read by unauthorized persons.\n\n       \xe2\x80\xa2   Information System Personnel. DISA stated that an Information\n           System Security Officer had not been identified or designated\n           responsibility for overseeing PowerTrack\xc2\xae as required by the provisions\n           of DoD Directive 5200.28. DoD Directive 5200.28 states that the\n           Designated Approving Authority, who is responsible for overseeing\n           PowerTrack\xc2\xae, will assign the Information System Security Officers.\n           The Under Secretary of Defense for Acquisition, Technology, and\n           Logistics needs to appoint a Designated Approving Authority for\n           PowerTrack\xc2\xae.\n\n       \xe2\x80\xa2   User Profiles. Users are able to set up their own organization profiles\n           in PowerTrack\xc2\xae. Unrestricted access to PowerTrack\xc2\xae user profiles\n           allows establishment of inappropriate carrier profiles and business rules\n           regarding carrier payment approval. Such access allows for potential\n           collusion between user and carrier that could result in financial loss.\n\n\n                                     16\n\x0cOffice of the Secretary of Defense Position on DITSCAP Applicability to\nPowerTrack\xc2\xae. We commend Assistant Deputy Under Secretary of Defense\n(Transportation Policy) for obtaining an interpretation of the DoD Instruction 5200.40,\ncommonly referred to as DITSCAP, applicability to PowerTrack\xc2\xae. The August 30,\n2000, Assistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) response advises that DITSCAP certification and accreditation of\nPowerTrack\xc2\xae were not required because DoD did not own the software rights to the\napplication. However, the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) directed that the impact of PowerTrack\xc2\xae\nimplementation on DoD network information assurance be understood. In addition, he\nadvised that an amendment to the local base level System Security Accreditation\nAgreement was necessary and follows in Phase 4 of DITSCAP. Consequently, the\nAssistant Deputy Under Secretary of Defense (Transportation Policy) did not consider\nDITSCAP applicable and continued to aggressively implement PowerTrack\xc2\xae without\nfully assessing the impact on DoD network information assurance or addressing the\nreported security risks or conducting additional tests as recommended by DISA. Since\nthe ST&E, the office of the Assistant Deputy Under Secretary of Defense\n(Transportation Policy) has continued to push towards full implementation of\nPowerTrack\xc2\xae at all DoD shipper sites. In addition, transportation regulations have\nbeen updated and require that DoD only contract with commercial carriers who\nconduct business through PowerTrack\xc2\xae. Thus, DoD commercial freight carriers are\nrequired to be PowerTrack\xc2\xae capable within 6 months of the transportation office\nbecoming PowerTrack\xc2\xae enabled.\n\nOffice of Inspector General, DoD Position on DITSCAP Applicability to\nPowerTrack\xc2\xae. Based on our review of the automated payment process and\nsubsequent discussions with the Office of the Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence), we believe that system\nsecurity requirements outlined in DoD Directive 5200.28 and implemented in DoD\nInstruction 5200.40 are applicable to PowerTrack\xc2\xae. The guidance states that its\nprovisions apply to all automated information systems that collect, communicate,\nstore, or control data, to include application software. PowerTrack\xc2\xae is an electronic\ncommerce application that is an integral part of the DoD reengineered transportation\npayment process. In addition, DoD transportation data will reside within\nPowerTrack\xc2\xae and will be used and relied on in making payments to carriers and\nU.S. Bank. In the absence of more specific implementing guidance, DITSCAP is the\nmost comprehensive guidance available to ensure that DoD interests and assets are\nprotected. It would be prudent to fully assess the risks to the transportation payment\ndata, commercial carriers, and DoD infrastructure before approval to operate any\nsystem, including commercial off-the-shelf products and electronic commerce\napplications not owned by the Government. All vulnerabilities should be identified\nand risks mitigated prior to integration. PowerTrack\xc2\xae represents a new process for\ndoing business. The Office of the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) had not fully assessed the impact of using an\nelectronic commerce application not owned by the Government on the DoD operating\nenvironment and DoD data. In effect, new or revised policy guidance is needed to\nclarify management's responsibility with respect to all DoD information systems used\nto process, transmit, store, or display DoD information. The guidance should\nspecifically address commercial off-the-shelf products and electronic commerce\napplications not owned by the Government. In addition, standard contracting language\nis needed for all electronic commerce application contracts that specifies the\nresponsibilities for ensuring compliance with established system security and\nmanagement control requirements.\n\n\n                                       17\n\x0cSystem Security. The Office of the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) had not fully assessed the impact of\nthis new business process on the DoD infrastructure. As a result, DoD risks\nunauthorized access to sensitive financial data and noncompliance with public\nlaws and regulations. Figure 2 shows the relationship between the DoD\ninfrastructure and the U.S. Bank PowerTrack\xc2\xae service.\n               DoD Infrastructure                          U.S. Bank\n\n                     Accounting\n                      System*                             PowerTrack\n\n\n\n\n           Shipper                             INTERNET    DoD Data\n                                 NIPRNET\n           System\n\n\n\n                     Client PC\n\n\n\n            *Indicates future implementation\n\n\nFigure 2. Systems Relationship\n\nAccess Controls. The willingness of trading partners to transact business with\nDoD via the Internet will decline if all parties are not assured that confidential\ninformation, such as vendor bank account numbers, will remain confidential.\nTo protect and authenticate electronic payment transactions made via the\nInternet and data within PowerTrack\xc2\xae, DoD needs to immediately implement a\nPublic Key Infrastructure or digital signature and encryption capabilities.\nFederal Information Protection Standards established levels of Public Key\nInfrastructure security. Accordingly, the GAO determined that Federal\nInformation Protection Standard 228 level 2 protection is appropriate for DoD\nfinancial management systems. Digital signatures and encryption capabilities\nare widely used methods of improving system security because they allow\nDoD to ensure that:\n\n       \xe2\x80\xa2   data contained in electronic transactions and messages have not been\n           altered and can be fully relied on for financial statement purposes,\n\n       \xe2\x80\xa2   system users can confirm who is on the other end of an electronic\n           transaction,\n\n       \xe2\x80\xa2   parties involved in a transaction cannot later deny that they participated\n           in the transaction, and\n\n       \xe2\x80\xa2   data cannot be accessed and read without proper authorization.\n\nGiven the sensitivity and dollar value of transportation freight data transmitted\nover the Internet and the legal, financial, and national security implications of\nunauthorized access to or use of that data, DoD should require all PowerTrack\xc2\xae\ntransactions be encrypted and contain digital signatures.\n\n\n\n                                                18\n\x0cInternal Management Controls\n    Fundamental management controls over the processing of PowerTrack\xc2\xae transactions\n    were not established or functioning as intended. We identified material control\n    weaknesses in the areas of operating guidance, training, approval of payments, and\n    payment procedures. Also, PowerTrack\xc2\xae access privileges and appropriate carrier\n    invoicing models were not established to ensure effective and efficient operations,\n    data reliability, and compliance with applicable laws and regulations.\n\n    Operating Guidance. DoD did not develop adequate operating guidance for\n    processing transactions through PowerTrack\xc2\xae. The DoD Transportation Regulation\n    is the governing guidance over transportation transactions and payments. The\n    regulations were silent with regard to transactions processed through PowerTrack\xc2\xae\n    and the additional responsibilities of the Transportation Officers. Although DFAS\n    does not have policy jurisdiction over the Transportation Officers or Funds\n    Managers, DFAS issued a memorandum, \xe2\x80\x9cInterim Manual Operating Procedures\n    for Processing PowerTrack\xc2\xae Payments,\xe2\x80\x9d June 30, 1999. DFAS issued the guidance\n    because no systems electronic interface existed between PowerTrack\xc2\xae and DoD\n    payment and accounting systems. Of the 12 sites we visited, only 1 site was aware\n    of the DFAS interim guidance.\n\n    Revised Guidance. In April 2000, U.S. Transportation Command revised\n    DoD Regulation 4500.9-R, \xe2\x80\x9cDoD Transportation Regulation,\xe2\x80\x9d and incorporated\n    the business rules for processing the commercial freight payments through\n    PowerTrack\xc2\xae. The guidance delegated additional responsibility to Transportation\n    Officers and Funds Managers. The transportation office is now responsible for the\n    approving and certifying functions. The Funds Managers are required to review\n    the PowerTrack\xc2\xae Fund Managers Report to confirm that LOAs are properly cited\n    and to determine whether corresponding obligations exist. The guidance, however,\n    did not provide the necessary instructions to enable these officials to accomplish\n    their additional responsibilities or provide procedures for accomplishing those tasks\n    in an automated PowerTrack\xc2\xae environment. For example, the guidance is silent on\n    how to approve and certify transportation payments in PowerTrack\xc2\xae. In addition,\n    the DoD Regulation 4500.9-R tasked Funds Managers over whom they do not have\n    cognizance. Fund Manager responsibilities are under the purview of the Under\n    Secretary of Defense (Comptroller). DoD Regulation 4500.9-R does not\n    adequately reflect the current operating environment for processing transportation\n    freight payments. For example, few Fund Managers have access to PowerTrack\xc2\xae\n    although they have been assigned specific responsibilities. The financial\n    management regulations need to be revised to support the DoD transportation\n    regulations as it pertains to Fund Managers and incorporate their responsibilities in\n    PowerTrack\xc2\xae. The revised guidance should be fully distributed to all\n    transportation offices and Fund Managers.\n\n    Transportation Officer Training. Transportation Officers were not given adequate\n    training to properly transact business through PowerTrack\xc2\xae. They received only\n    basic PowerTrack\xc2\xae training from U.S. Bank and no finance and accounting training.\n    U.S. Bank made overall introduction to PowerTrack\xc2\xae training available to all\n    PowerTrack\xc2\xae users. A distance learning package was also created for users who did\n    not attend the presentation. However, the PowerTrack\xc2\xae users we interviewed who\n    had completed the training did not understand PowerTrack\xc2\xae critical functionality or\n    how to use its essential modules and screens. Also, Transportation Officers had not\n\n\n                                         19\n\x0creceived training in finance and accounting to understand and successfully process\nLOAs nor training as a Certifying Officer to prepare them to certify invoices for\npayment. For example, the \xe2\x80\x9cBusiness Rules - Invoicing Module,\xe2\x80\x9d is critical to\nmanaging the payment process from the Transportation Officer and Fund Manager\nperspective. The invoicing module informs the users how carrier transactions will\nbe processed. Even though Transportation Officers may have known how to access\nand complete this module, they did not always understand their options or the laws\nand regulations governing their choices. Likewise, Transportation Officers knew\nhow to access and certify invoices for payment in PowerTrack\xc2\xae, but they were not\naware of the financial or legal implications of their actions. Transportation Officers\nand Fund Managers should be trained to ensure that they have a complete\nunderstanding of the functionality of PowerTrack\xc2\xae and the laws and regulations\ngoverning financial transactions.\n\nFund Manager Training. Fund Managers were not provided PowerTrack\xef\x9b\x9a\ntraining. Few, if any, Funds Managers had access to PowerTrack \xef\x9b\x9a even though\nthe DoD guidance gives them a critical role in the transportation payment\nprocess. According to the MRM No. 15 Program Management Office, the need\nfor Funds Manager training was recognized and in August 2000, a financial\nmanagement development team was formed. In March 2001, a PowerTrack\nweb-based training application and CD-ROM became available for Funds\nManager training. However, a requirement was not established for Funds\nManagers to receive this training nor were controls established to ensure training\nwas received.\n\nPowerTrack\xc2\xae Access Privileges. Procedures were not established to ensure\nappropriate access and define user privileges in PowerTrack\xc2\xae. The OMB\nCircular A-123 requires that basic controls be in place to ensure that access to\nresources and records is limited to authorized individuals and accountability for the\ncustody and use of resources is appropriately assigned and maintained. DoD\nDirective 5200.28 also requires that user access to information and operations be\nlimited to that for which the user is entitled by virtue of clearance and formal\naccess approval. As of June 2000, approximately 1,600 DoD users had been\ngranted access to the PowerTrack\xc2\xae system, yet DoD had not established\nprocedures for granting access or defining user privileges in PowerTrack\xc2\xae.\nU.S. Bank controls access to PowerTrack\xc2\xae. Anyone desiring access can contact\nU.S. Bank at which point U.S. Bank may or may not confirm their authority with\nDoD before allowing them access. Furthermore, DoD does not monitor\nPowerTrack\xc2\xae user profiles or activity to ensure appropriate access, privileges, and\nuse. DoD needs to review, evaluate, and certify PowerTrack\xc2\xae access and\nprivileges. This has yet to be accomplished. We identified a number of serious\ninstances where DoD could not ensure the appropriateness of PowerTrack\xc2\xae\ntransactions.\n\n        Contractor Access. At Wright-Patterson Air Force Base, contractors are\nauthorized to perform transportation freight shipping functions such as initiating,\nrating, and assigning shipments, but not approving payments. However, we\nidentified a contractor employee who had PowerTrack\xc2\xae approval privileges for\npayments up to $25,000. Approval of carrier payments is an inherently\ngovernmental function that can legally be performed only by a Government\nemployee. We identified five payment transactions totaling $662 that a contractor\nhad approved by searching the payment history of the individual shipment. The\nTransportation Officer was not aware of the access level or privileges assigned to\n\n\n                                     20\n\x0cthe contractor. U.S. Bank was unable to provide us with a log of payments\napproved by the contractor, so we were unable to determine the extent of the\nproblem.\n\n        Administrator Access. The Information Manager, Blue Grass Army\nDepot, had approval authority for payments up to $25,000. The Information\nManager is responsible for system administration and should never have payment\napproval authority. In addition, at each transportation office, at least one user was\nassigned administrative access to PowerTrack\xc2\xae. The administrative access allowed\nusers to add, delete, or modify user and carrier profiles within their respective\ndomain. At several of the sites we visited, administrative users also had maximum\npayment approval authority.\n\n        Retiree Access. At the Defense Distribution Depot, Norfolk, a user who\nhad retired in July 1999 still had an enabled user profile with a $3,000 payment\napproval authority as of June 2000.\n\nCarrier Profiles. Similar control problems exist with carrier profiles as with the\nuser access and privileges. The Transportation Officer or U.S. Bank can establish\ncarrier profiles in PowerTrack\xc2\xae. Carrier profiles define how transactions will be\nprocessed, as well as how carriers will be paid. Carrier profiles prescribe invoicing\nmodules and automatic payment options to be used with each carrier.\n\nControls Over Carrier Profiles. Control over carrier profiles is critical because\nthey authorize payment based on DoD input, carrier input, or automatic payment.\nYet DoD had not established basic controls over establishing carrier profiles or\nensured that Transportation Officers understood how to create and use them. In\naddition, DoD does not monitor carrier profiles to ensure that they are properly\ndefined in the system. As a result, the Transportation Officer at the Blue Grass\nArmy Depot did not know that at least three carrier profiles were defined with\nunlimited dollar thresholds, which meant that carrier invoices were automatically\napproved for payment in PowerTrack\xc2\xae on notice of delivery without further\ntransportation office involvement. DoD needs to establish and monitor profiles to\nmaintain an acceptable level of operating security.\n\nTransportation Officer Liabilities. Control procedures over the certification of\nPowerTrack\xef\x9b\x9a invoices were not adequate to ensure segregation of duties as\nrequired by internal control standards. Transportation Officers were provided\nneither the training nor the tools to successfully function as Certifying Officers.\n\nCertifying Officer Delegation. In June 1999, the DFAS \xe2\x80\x9cInterim Manual\nOperating Procedures for Commercial Transportation Purchased Through the U. S.\nBank PowerTrack\xc2\xae Service,\xe2\x80\x9d requires Transportation Officers to function in both an\napproval and certification capacity contrary to basic principles of internal controls.\nGAO publication, GAO/AIMD-00-21.3.1, \xe2\x80\x9cStandards for Internal Control in the\nFederal Government,\xe2\x80\x9d November 1999, prescribes that, \xe2\x80\x9cKey duties and\nresponsibilities need to be divided or segregated among different people to reduce the\nrisk of error or fraud.\xe2\x80\x9d This should include separating the responsibilities for\nauthorizing transactions, processing and recording them, reviewing the transaction,\nand handling any related assets. One individual should not control all key aspects of\na transaction process. Further, as previously discussed, Transportation Officers\nhave neither sufficient visibility over funding nor were they adequately trained to\nconduct Certifying Officer duties. The Certifying Officer responsibilities are\n\n\n                                     21\n\x0cspecified in 31 U.S.C. 3325 and 3528, which states that the Certifying Officer is\nresponsible for information stated in the voucher, supporting documentation and\nrecords, computation, and the legality of a proposed payment under the\nappropriation or fund involved. The Certifying Officer responsibility is consistently\ndescribed in the DoD Financial Management Regulations, Volume 5, Chapter 33,\n\xe2\x80\x9cAccountable Officials and Certifying Officers.\xe2\x80\x9d Thus, the Certifying Officer is\nresponsible for ensuring and validating that the appropriate funding is available and\nused on the PowerTrack\xc2\xae monthly invoice. Procedural guidance was not sufficient\nto ensure data accuracy or consistent and efficient processing of PowerTrack \xef\x9b\x9a\ninvoices. Therefore, we consider the delegation of the certification responsibility to\nbe unacceptable because Transportation Officers are inappropriately exposed to\npecuniary liabilities without due preparation.\n\nCertifying Officer Responsibilities. Each month, the transportation office\nobtains a PowerTrack\xc2\xae billing statement aggregated by LOA. The Transportation\nOfficer is supposed to certify the statement within 5 business days. To\naccomplish this, the Transportation Officer must review the billing statement to\nensure that it is correct, certify the statement for payment, and submit it to the\nappropriate DFAS office for disbursement. The DoD goal appears to be that\nDFAS will disburse funds based on the Transportation Officer's approval, without\nfurther review or certification. Inspector General, DoD, Report No. D2000-139,\n\xe2\x80\x9cControls Over the Integrated Accounts Payable System,\xe2\x80\x9d June 5, 2000,\nidentified numerous deficiencies in the Department's procedures for handling\nvendor payments. GAO/AIMD-00-21.3.1, \xe2\x80\x9cStandards for Internal Control in the\nFederal Government,\xe2\x80\x9d November 1999, requires access restrictions and\nsegregation of key duties in authorizing, processing, recording, and reviewing\ntransactions. The majority of DoD transportation payments are processed using\nvendor pay systems. Therefore, the internal control environment for receipt and\nacceptance of transportation shipments prescribed by 5 Code of Federal\nRegulations Part 1315, \xe2\x80\x9cPrompt Pay Act: Final Rule,\xe2\x80\x9d must apply and DoD must\nensure that sufficient controls exist so that no single individual is responsible for\nthe entire transportation freight transaction.\n\nPecuniary Liabilities. Title 31, U.S.C., 3528, and the DoD Financial\nManagement Regulation, Volume 5, Chapter 33, section 3302, hold Certifying\nOfficers pecuniarily liable for erroneous payments. Draft Certifying Officer\nbusiness rules delegating certification responsibilities will result in undue risk of\npecuniary liability to DoD Transportation Officers. In 1998, DoD implemented\n31 U.S.C. 3325, which requires certification of Departmental disbursements.\nUnder these regulations, Certifying Officers are considered pecuniarily liable for\nerroneous payments resulting from the negligent performance of their duties.\nThey are responsible for paying payments that are determined to be illegal,\nimproper, or incorrect because of inaccurate or misleading certification that does\nnot represent a legal obligation under the appropriation or are prohibited by law.\nFor most vendor pay actions, DFAS performs Certifying Officer functions. DoD\nprocedures for reimbursing U.S. Bank for PowerTrack\xc2\xae invoices rely heavily on\nthe controls in vendor pay systems. Yet DoD is deviating from those controls for\ntransportation freight payments by recommending that the Military Departments\nand Defense agencies appoint Transportation Officers to certify carrier payments.\nThe Transportation Officers do not have access to the accounting systems and\nhave no visibility over the supporting obligation data for funding payments,\nbesides their own. Therefore, they have no ability to validate (or certify) the\nvalidity of other LOAs, but DFAS does.\n\n\n                                      22\n\x0c   In July 2000, DFAS reported that 45 percent of the certified PowerTrack\xc2\xae invoices\n   were delayed for payment because of missing or inadequate obligations or\n   inaccurate and incomplete LOAs. After certification for payment, the Certifying\n   Officer should be prepared to assume full liability for all improper payments,\n   because the GAO may not provide relief for transportation officials who make\n   improper certifications, especially when not initially supported by a valid\n   obligation. The use of the Transportation Officer as certifying official is a choice of\n   last resort. We believe that transportation payment certification responsibilities\n   should be retained by DFAS along with their vendor payment responsibilities to\n   ensure total visibility of all payments.\n\n   Certifying Officer Training. The training provided to date was insufficient to\n   instruct the Transportation Officers in their roles and responsibilities for\n   certifying PowerTrack\xc2\xae invoices. In most cases, officials required to perform\n   certification functions were not and could not comply with requirements. At\n   the sites visited, we received mixed responses regarding what constitutes\n   PowerTrack\xc2\xae invoice certification procedures and responsibilities. This lack of\n   understanding made clear that Transportation Officer certifications of\n   PowerTrack\xc2\xae invoices were all too often superficial at best. Certifying Officers\n   are also required to review Transportation Account Codes and LOAs for\n   accuracy prior to certifying invoices, but this was not being done at the sites we\n   visited. Furthermore, as previously discussed, Transportation Officers simply\n   were not provided the level of training commensurate with the Certifying\n   Officer obligations and responsibilities imposed on them. The Certifying\n   Officers need to receive Certifying Officer training. According to the Assistant\n   Deputy Under Secretary of Defense (Transportation Policy), DFAS developed a\n   Certification Officer Legislation Training compact disk. The Military\n   Components and Defense agencies provided comments to the training disk in\n   November 2000. Once the Component and agency comments are considered,\n   the training disk could be used as a training tool for the Certifying Officers.\n\n   Post Payment Random Reviews. Draft Certifying Officer business rules\n   provide for post payment random reviews. The intent of a post payment\n   review is to ensure payment accuracy and minimize the risk of errors and\n   fraud. However, the business rules assign responsibility for the post payment\n   random reviews to the same office that has control over the transportation\n   freight process. The transportation freight process includes establishing user\n   profiles, authorizing shipments, and certifying invoices for payment.\n   Furthermore, the business rules did not specify the decision rules or corrective\n   actions needed based on the result of the review. Therefore, we question\n   whether the reviews will be an effective tool to detect error or fraud unless\n   designed and conducted at the DFAS level by individuals who do not have\n   control over the transportation freight process.\n\nSummary\n   Although PowerTrack\xc2\xae is a commercially owned electronic commerce\n   application, it is incorporated into the DoD transportation payment process.\n   PowerTrack\xc2\xae processes, stores, transmits, and displays sensitive DoD financial\n   information and contractor proprietary data. The PowerTrack\xc2\xae data are used by\n   DoD to pay the carrier and to reimburse U.S. Bank. Therefore, PowerTrack\xc2\xae\n   should comply with the same provisions as other DoD financial management\n\n\n                                         23\n\x0c    systems. The Federal Financial Management Improvement Act and supplemental\n    OMB and DoD guidance are applicable to PowerTrack\xc2\xae. Controls over the\n    automated transportation freight payment process were not adequate to safeguard\n    sensitive information or to ensure the production of reliable data. DoD must\n    fully assess and mitigate the risks associated with using the PowerTrack\xc2\xae service.\n    Continuing to operate without effective security and internal controls is\n    imprudent. Likewise, DoD efforts to expedite an implementation strategy that\n    circumvents prescribed management controls and places DoD employees at\n    unneeded risk is not in the best interest of the Department. Delegated\n    certification authority inappropriately exposed Transportation Officers to\n    pecuniary liabilities. Also, Transportation Officers were inadequately trained to\n    accomplish Certifying Officer responsibilities. All too often PowerTrack\xc2\xae\n    invoice certifications were superficial at best. Lastly, we do not believe the post\n    payment random reviews as structured will be effective deterrents to error or\n    fraud unless designed and conducted at the DFAS level by individuals who do\n    not have control over the entire transportation freight payment process.\n\nRecommendations, Management Comments, and Audit Response\n    Deleted and Renumbered Recommendations. As a result of the comments, we\n    revised Recommendation B.1.a. to incorporate the intent behind draft report\n    Recommendations B.1.b. and B.1.c. We deleted draft report\n    Recommendations B.1.b. and B.1.c. and renumbered the remaining\n    recommendation to Recommendation B.1.b.\n\n    B.1. We recommend that the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics:\n\n           a. Appoint an executive agent to take responsibility for operation of\n    PowerTrack\xc2\xae within DoD and to ensure that all control risks associated with\n    its use are understood and mitigation of risks are planned and PowerTrack\xc2\xae is\n    compliant will all applicable DoD policies.\n\n          b. Contract with U.S. Bank to phase out the use of ActiveX or use\n    ActiveX in accordance with DoD policy.\n\n    Management Comments. The Assistant Deputy Under Secretary of Defense\n    (Transportation Policy) nonconcurred with the Recommendations B.1.a., B.1.b.,\n    and B.1.c., stating that the recommendations propose a bureaucratic process for\n    assessing the security implications of a commercial off-the-shelf application.\n    PowerTrack\xc2\xae is a commercial off-the-shelf web-based application and DoD has no\n    software rights to this application. As such, DoD Information Technology\n    Security Certification and Accreditation Process (DITSCAP) requirements do not\n    apply. The Assistant Deputy Under Secretary of Defense (Transportation Policy)\n    agreed that DoD needs and would strongly support an effective commercial off-\n    the-shelf assessment policy to ensure security of DoD systems.\n\n    The Assistant Deputy Under Secretary of Defense (Transportation Policy)\n    concurred with Recommendation B.1.b., stating that it complies with DoD policy.\n    On April 12, 2001, the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) issued a memorandum that stated the use of\n\n\n\n                                         24\n\x0cActiveX in PowerTrack\xc2\xae complies with DoD policy because ActiveX is signed\nwith Microsoft Authenticode, an approved commercial code-signing certificate.\n\nAudit Response. The Assistant Deputy Under Secretary of Defense\n(Transportation Policy) met with the Deputy Inspector General, DoD, on\nApril 16, 2001, to discuss the recommendations and tone of the report prior to\nsubmitting comments. The Assistant Deputy Under Secretary of Defense\n(Transportation Policy) comments on renumbered Recommendation B.1.b. (draft\nreport Recommendation B.1.d.) are fully responsive. The Assistant Deputy\nUnder Secretary of Defense (Transportation Policy) comments on revised\nRecommendation B.1.a. are nonresponsive. PowerTrack\xc2\xae is more than a\ncommercial off-the-shelf web-based application. PowerTrack\xc2\xae is an electronic\ncommerce application that stores DoD data and is an integral part of the DoD\ntransportation payment process. Regardless of whether the electronic commerce\napplication is a new means for doing business within DoD, management is\nultimately responsible for implementing sound financial management practices and\nsystems. Current policy exists that defines management responsibility for\nestablishing effective internal and system controls. With the Department\xe2\x80\x99s plans\nfor PowerTrack\xc2\xae to operate as a subsidiary ledger for transportation, it is\nimperative for PowerTrack\xc2\xae to substantially comply with the same Federal\nfinancial system requirements as the rest of DoD accounting, finance, and feeder\nsystems.\n\nIt is not bureaucratic to recommend the responsible proponent to act prudently\nto protect DoD data and aggressively implement information assurance\nrequirements. Although appointment of a Designated Approving Authority and\nInformation System Security Officer seems appropriate for security risk\nmanagement of PowerTrack, the execution of the requirements placed on the\nUnder Secretary of Defense for Acquisition, Technology, and Logistics by the\nAssistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) August 30, 2000, memorandum will also meet the intent of draft\nreport Recommendations B.1.a, B.1.b., and B.1.c. The memorandum stated\nthat integration of commercial services with existing DoD legacy systems is a\nnew implementation model but does not require a DITSCAP certification and\naccreditation. However, the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) memorandum elaborated by stating\nthat up front consideration to understand the impact of the implementation on\nDoD network information assurance is required. In addition, the executive\nagent responsible for the business process should ensure that risks associated\nwith the use of commercial off-the-shelf web-based applications are understood\nand the mitigation of those risks is planned. The executive agent, in\ncollaboration with each affected Component CIO, will determine the DoD\xe2\x80\x93wide\napproach for determining, mitigating and accepting risk of implementation.\nEstablishing an executive agent responsible for overall management controls\nassociated with the automated transportation payment process and executing the\nrequirements established by the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) will meet the intent of our draft\nreport Recommendations B.1.a., B.1.b., and B.1.c. Therefore, we request the\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nreconsider the revised recommendation.\n\n\n\n\n                                    25\n\x0cB.2. We recommend that the Under Secretary of Defense (Comptroller):\n\n     a. Retain Certifying Officer responsibilities at the Defense Finance\nAccounting Service for PowerTrack\xc2\xae payments.\n\n       b. Revise the DoD Financial Management Regulation to reflect changes\nin the Defense Transportation Regulation as they pertain to Funds Managers\xe2\x80\x99\nuse of PowerTrack\xc2\xae.\n\nManagement Comments. The Deputy Chief Financial Officer, Under Secretary of\nDefense (Comptroller) concurred in principle with Recommendation B.2.b. stating\nthat the Defense Transportation Regulations would be reviewed and the DoD\nFinancial Management Regulation updated as appropriate. The Deputy Chief\nFinancial Officer, Under Secretary of Defense (Comptroller) nonconcurred with\nRecommendation B.2.a. stating that the Transportation Officers do have the\nexpertise to certify the monthly billing statement because the Transportation Officer\nis the only one responsible for assuring that the transportation services requested are\nfor valid purposes. The Transportation Officer must understand and have access to\nfinancial data and rely on the controls in place to ensure that the information\nobtained is valid and funding is available. Sound financial management and internal\ncontrols for disbursing practices dictate that Certifying Officers be independent and\norganizationally separate whenever practical.\n\nAudit Response. The Deputy Chief Financial Officer, Under Secretary of Defense\n(Comptroller) comments are responsive to Recommendation B.2.b. and\nnonresponsive to Recommendation B.2.a. To ensure strong internal controls, the\nCertifying Officer must know the subject matter (that is, transportation), voucher\npreparation, appropriations, accounting classifications, and payment process.\nAlthough we agree with the Deputy Chief Financial Officer, Under Secretary of\nDefense (Comptroller) that the Transportation Officer is the most knowledgeable\nindividual for assuring that the transportation services requested are valid, he is not\nthe most knowledgeable individual on the obligation data supporting the 13,000\nLOAs. A representative from the Under Secretary of Defense (Comptroller) stated\nduring a meeting with us on April 16, 2001, that a task force was formed to explore\nways to provide the Transportation Offices with the additional funding knowledge\nbut to date it has yet to occur. Current practice is asking the Transportation Officer\nto rely on the financial data even though during a 14-month period DFAS was unable\nto validate 73 percent of the financial data in PowerTrack. DFAS, which is\nknowledgeable in voucher preparation, appropriations, accounting classifications,\nand the payment process and has access to appropriations, should rely on the\nTransportation Officer with regard to the legality and validity of the shipment. The\nTransportation Officer acting as the accountable official would be responsible for the\ninternal controls related to the shipment and approval of carrier payment; applicable\nDoD regulations; providing the Certifying Officer with timely and accurate data to\nensure that payments are supportable, legal, and computed correctly; and timely\nreconciliation of possible or actual erroneous payments. The Transportation Officer\nwill still be pecuniarily liable for erroneous payments made as a result of negligent\nperformance of official duties. We request the Under Secretary of Defense\n(Comptroller) reconsider Recommendation B.2.a. and provide additional comments\nto the final report.\n\n\n\n\n                                      26\n\x0cB.3. We recommend that the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence):\n\n       a. Establish guidance to clarify management responsibilities and ensure\nthat the appropriate level of information security is applied and associated\nrisks are assessed when using any information system that transmits, stores, or\ndisplays DoD information. The guidance should be specific to commercial off-\nthe-shelf products and electronic commerce applications used but not owned\nby the Government, such as PowerTrack\xc2\xae.\n\n      b. Establish standard contracting language for all information systems\ncontracts. The contracting language should identify the responsibilities for\nensuring compliance with financial management systems requirements and\nsystems and data security for electronic commerce applications that are used\nbut not owned by the Government.\n\n       c. Update policy to establish the applicability of Defense Information\nTechnology Security Certification and Accreditation Process to commercial\noff-the-shelf products and electronic commerce applications used but not\nowned by the Government, such as PowerTrack\xc2\xae.\n\n      d. Provide guidance to clarify the Designated Approving Authority\nresponsibilities with respect to the coverage of DoD-wide information systems\nincluding the use of commercial off-the-shelf products and electronic\ncommerce applications, such as PowerTrack\xc2\xae.\n\n      e. Validate the security connection and all security controls associated\nwith using PowerTrack\xc2\xae.\n\nManagement Comments. The Deputy Chief Information Officer, Assistant\nSecretary of Defense (Command, Control, Communications, and Intelligence)\nconcurred in principle with all recommendations, stating that current guidance\nalready exists that describes management responsibilities with regard to systems\nsecurity and risk assessments and the Designated Approving Authority. A\ndistinction was made between commercial off-the-shelf products and electronic\ncommerce applications. A new 8500-series Information Assurance policy is being\nissued that will consolidate current guidance and policies and include additional\npolicy and procedures that will explicitly address commercial off-the-shelf products\nand electronic commerce applications, such as PowerTrack\xc2\xae. Management is\nworking with the Under Secretary of Defense for Acquisition, Technology, and\nLogistics to determine whether additional contracting language is necessary.\nManagement stated that DITSCAP instructions are also being reviewed and will\nincorporate instructions on commercial off-the-shelf products and electronic\ncommerce applications. Management has already taken action to validate the use\nof ActiveX mobile code to ensure its use complies with DoD policy.\n\n\n\n\n                                     27\n\x0cAudit Response. The Deputy Chief Information Officer, Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) comments are\npartially responsive. Management validated and approved the use of ActiveX\nmobile code in the PowerTrack\xc2\xae application, however, no specific actions were\ndiscussed about actions taken to validate the security controls in PowerTrack.\nTherefore, management is requested to provide additional comments to the final\nreport on Recommendation B.3.e. explaining specific actions planned and expected\ncompletion date for validating the security controls in PowerTrack.\n\nB.4. We recommend that the U.S. Transportation Command:\n\n      a. Ensure that each transportation office assigns an individual who is\nnot involved in payment approving and certifying processes to administer and\ncontrol PowerTrack\xc2\xae profiles.\n\n      b. Implement Public Key Infrastructure access based on Federal\nInformation Protection Standard 228, level 2 for all PowerTrack\xc2\xae\ntransactions, access, and data transmission.\n\n     c. Revise the Defense Transportation Regulation to reflect the current\nautomated transportation freight payment process.\n\n      d. Ensure that Transportation Officers are trained and fully understand\nthe transportation payment process and functionality of PowerTrack\xc2\xae.\n\n     e. Develop and implement standard operating procedures to establish\nand monitor PowerTrack\xc2\xae access, user privileges and carrier profiles.\n\nManagement Comments. The Assistant Deputy Under Secretary of Defense\n(Transportation Policy) coordinated her response with the U.S. Transportation\nCommand. Management concurred with Recommendation B.4.c. stating that the\nDefense Transportation Regulation was updated and reflected the current process\nfor all transportation modes. Management concurred with\nRecommendation B.4.c., and concurred in principle with Recommendations\nB.4.a., B.4.b., B.4.d., and B.4.e. stating that the actions recommended are\nneeded, but did not believe that U.S. Transportation Command is responsible for\nimplementing the recommended actions and believes that Recommendations B.4.a.,\nB.4.b., B.4.d., and B.4.e. are more appropriately suited for the Military\nComponents and Defense agencies.\n\nAudit Response. Management comments are nonresponsive. We believe that the\nU.S. Transportation Command needs to take responsibility for the automated\ntransportation payment process and ensure that management controls are\nestablished and effective to safeguard DoD assets. We request that the Under\nSecretary of Defense for Acquisition, Technology, and Logistics reconsider its\nresponsibilities and provide comments to Recommendations B.4.a., B.4.b., B.4.c.,\nand B.4.d. on the final report.\n\n\n\n\n                                   28\n\x0cB.5. We recommend that the each of the Chief Information Officer of the\nMilitary Components:\n\n      a. Ensure that the System Security Authorization Agreement associated\nwith each transportation office includes the PowerTrack\xc2\xae application.\n\n      b. Disable the downloading and execution of all mobile code on all local\nsystems unless the mobile code is compliant with DoD policy.\n\nArmy Comments. The Army did not comment on the draft of this report.\n\nNavy Comments. The Navy concurred with the recommendations, stating that it\nwill ensure that System Security Authorization Agreements associated with each\ntransportation office are updated to include the PowerTrack\xc2\xae application and ensure\nthat all mobile code is executed in compliance with DoD policy.\n\nAir Force Comments. The Air Force concurred with the\nRecommendation B.5.b., stating that it will issue instruction for all relevant parties\nto comply with DoD mobile code policy. The Air Force did not comment on\nRecommendation B.5.a.\n\nAudit Response. The Navy comments are fully responsive. The Air Force\ncomments are responsive on Recommendation B.5.b. We request that the Army\nprovide comments on the final report and that the Air Force provide comments on\nRecommendation B.5.a. on the final report.\n\n\n\n\n                                      29\n\x0cAppendix A. Audit Process\n\nScope and Methodology\n    Work Performed. We evaluated the controls over the automated transportation\n    freight payment process, data accuracy, financial reporting requirements, and the\n    implementation of the PowerTrack\xc2\xae service. Specifically, in February 2000, we\n    judgmentally selected 12 transportation offices from a universe of 440 offices using\n    PowerTrack\xc2\xae to review their automated transportation payment process. The sites\n    visited included two Army, two Air Force, three Navy, three Defense Logistics\n    Agency activities, and two Defense Contract Management Agency activities. The\n    sites were selected based on geographic location, volume of transactions processed\n    through PowerTrack\xc2\xae, and Defense activity.\n\n    At 11 of the 12 sites, we reviewed monthly bank statements certified during the\n    months of December 1999 through March 2000. We reviewed 1,833 transactions\n    processed on 19 certified monthly bank statements. We interviewed personnel\n    involved in the transportation payment process including Transportation Officers\n    and Funds Managers. We extracted and analyzed PowerTrack\xc2\xae data processed\n    from February 1999 through May 2000. We researched laws and regulations\n    governing financial reporting requirements. We met with representatives from the\n    Office of the Assistant Deputy Under Secretary of Defense (Transportation\n    Policy); DFAS; the DoD transportation community; PricewaterhouseCoopers,\n    Limited Liability Partnership; and U.S. Bank.\n\n    DoD-Wide Corporate Level Government Performance and Results Act\n    Goals. In response to the Government Performance and Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate level goals,\n    subordinate performance goals, and performance measures. This report pertains\n    to achievement of the following goals, subordinate performance goals and\n    performance measures.\n\n    FY 2001 DoD Corporate Level Goal 2: Prepare now for an uncertain future by\n    pursuing a focused modernization effort that maintains U.S. qualitative superiority\n    in key warfighting capabilities. Transform the force by exploiting the Revolution\n    in Military Affairs, and reengineer the Department to achieve a 21st century\n    infrastructure. (01-DoD-2)\n\n           \xe2\x80\xa2   FY 2001 Subordinate Performance Goal 2.4: Meet combat forces\xe2\x80\x99\n               needs smarter and faster, with products and services that work better\n               and cost less, by improving the efficiency of DoD acquisition processes.\n               (01-DoD-2.4) FY 2001 Performance Measure 2.4.5: Percentage of\n               DoD Paperless Transactions. (01-DoD-2.4.5)\n\n           \xe2\x80\xa2   FY 2001 Subordinate Performance Goal 2.5: Improve DoD financial\n               and information management. (01-DoD-2.5) FY 2001 Performance\n               Measure 2.5.3: Qualitative Assessment of Reforming Information\n               Technology Management. (01-DoD-2.5.3)\n\n\n\n\n                                         30\n\x0cDoD Functional Area Reform Goals. Most major DoD functional areas have\nalso established performance improvement reform objectives and goals. This\nreport pertains to achievement of the following functional area objectives and\ngoals.\n\n       \xe2\x80\xa2   Financial Management Functional Area. Objective: Consolidate\n           finance and accounting operations. Goal: Reduce and improve\n           accounting systems. (FM-2.2)\n\n       \xe2\x80\xa2   Financial Management Functional Area. Objective: Eliminate\n           problem disbursements. Goal: Reduce problem disbursements by over\n           60 percent. (FM-3.1)\n\n       \xe2\x80\xa2   Financial Management Functional Area. Objective: Strengthen\n           internal controls. Goal: Improve compliance with the Federal\n           Managers\xe2\x80\x99 Financial Integrity Act. (FM-5.3)\n\nGAO High-Risk Area. The GAO has identified several high-risk areas in the\nDoD. This report provides coverage of the Defense Financial Management\nhigh-risk area.\n\nUse of Computer-Processed Data. To achieve the audit objectives, we relied on\ncomputer-processed data contained in PowerTrack\xc2\xae. Our review of data processed\nthrough the system showed an error rate that questions the validity of the data.\nHowever, when the data are reviewed in context with other available evidence, we\nbelieve that the opinions, conclusions, and recommendations in this report are\nvalid.\n\nAudit Type, Dates, and Standards. We performed this financial-related\nprogram audit from October 1999 through February 2001, in accordance with\nauditing standards issued by the Comptroller General of the United States, as\nimplemented by the Inspector General, DoD. We did our work in accordance\nwith generally accepted Government auditing standards except that we were\nunable to obtain an opinion on our system of quality control. The most recent\nexternal quality control review was withdrawn on March 15, 2001, and we will\nundergo a new review.\n\nUniverse and Sample. Of 440 total transportation offices identified by\nU.S. Bank, we judgmentally sampled 12 transportation offices. At 11 of the 12\nsites, we extracted and totaled, by site, for each month, the number of commercial\nfreight shipments and electronic bills with the corresponding dollar amount,\nnumber of transportation control numbers and LOAs processed through\nPowerTrack\xc2\xae.\n\nUse of Technical Assistance. The Quantitative Methods Division of the Office of\nAssistant Inspector General for Auditing assisted the audit by computing late\npayment charges incurred from January 2000 through September 2000. The\ncharges were computed based on simple interest computations assuming an annual\ninterest rate of 6.75 percent and 365 days in a year. Interest was calculated based\non past due DoD PowerTrack\xc2\xae balances on intervals of 15 days, 45 days,\n75 days, 105 days, 135 days, and 165 days during the period.\n\n\n\n\n                                     31\n\x0c     Contacts During the Audit. We visited or contacted individuals and organizations\n     within DoD; PricewaterhouseCoopers, Limited Liability Partnership; and\n     U.S. Bank. Further details are available upon request.\n\nManagement Control Program Review\n     DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n     1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program\n     Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to implement a\n     comprehensive system of management controls that provides reasonable\n     assurance that programs are operating as intended and to evaluate the adequacy\n     of the controls.\n\n     Scope of the Review of the Management Control Program. We reviewed the\n     adequacy of management controls over the automated transportation payment\n     process accomplished through the PowerTrack\xc2\xae service. Specifically, we reviewed\n     transportation office management controls over approving carrier payments,\n     certifying monthly invoices, and system security. We did not review\n     management\xe2\x80\x99s self-evaluation applicable to those controls because the PowerTrack\xc2\xae\n     service was not fully implemented or operational.\n\n     Adequacy of Management Controls. We identified material management control\n     weaknesses within the automated transportation payment process and PowerTrack\xc2\xae\n     service as defined by DoD Instruction 5010.40. The management controls over the\n     automated transportation payment process and PowerTrack\xc2\xae service were not\n     adequate to ensure DoD resources were safeguarded. For a detailed discussion on\n     the management control weaknesses identified during our review, see finding B of\n     the report. A copy of the report will be provided to the senior official responsible\n     for management controls in the Office of the Under Secretary of Defense for\n     Acquisition, Technology, and Logistics.\n\nPrior Coverage\nGeneral Accounting Office\n     GAO Report No. NSIAD-00-72 (OSD Case No. 2014), \xe2\x80\x9cDefense Management:\n     Actions Needed to Sustain Reform Initiatives and Achieve Greater Results,\xe2\x80\x9d\n     July 25, 2000\n\n     GAO Report No. NSIAD-00-108 (OSD Case No. 2006), \xe2\x80\x9cDefense Management:\n     Electronic Commerce Implementation Strategy Can Be Improved,\xe2\x80\x9d July 18, 2000\n\n     GAO Report No. NSIAD-00-7 (OSD Case No. 1890), \xe2\x80\x9cDefense Transportation:\n     Process Reengineering Could Be Enhanced by Performance Measures,\xe2\x80\x9d\n     December 20, 1999\n\n     GAO Testimony No. T-AMID/NSIAD-00-264, \xe2\x80\x9cImplication of Financial\n     Management Issues,\xe2\x80\x9d testimony of Jeffrey C. Steinhoff before the Task Force on\n     Defense and International Relations, Committee on the Budget, House of\n     Representatives, release date July 20, 2000\n\n\n\n                                          32\n\x0c     GAO, \xe2\x80\x9cResults of FY 1999 Financial Audit of the Department of Defense,\xe2\x80\x9d\n     testimony of Jeffrey C. Steinhoff before a hearing of the Subcommittee on\n     Government Management, Information, and Technology, release date May 9, 2000\n\n\nInspector General\n     Inspector General, DoD, Report No. 96-044, \xe2\x80\x9cFreight Shipment Deliveries,\xe2\x80\x9d\n     December 12, 1995\n\n     Inspector General, DoD, Report No. 98-016, \xe2\x80\x9cControls over Government Bills of\n     Lading,\xe2\x80\x9d November 3, 1998\n\n     Inspector General, \xe2\x80\x9cDepartment of Defense Financial Management,\xe2\x80\x9d testimony of\n     Robert J. Lieberman before the Task Force on Defense and International Relations,\n     House Committee on the Budget, release date July 20, 2000\n\n     Inspector General, \xe2\x80\x9cResults of FY 1999 Financial Audit of the Department of\n     Defense,\xe2\x80\x9d testimony of Robert J. Lieberman - Assistant Inspector General for\n     Auditing, Department of Defense, before a hearing of the Subcommittee on\n     Government Management, Information, and Technology, release date May 9, 2000\n\n\n\n\n                                        33\n\x0c                   1                                                                                                 Carrier\n                       Obtain\n                                L OA\n      Requestor                              $   $                                        nt                                                   8\n                                               $                           4       Shipme n\n                                                                                        a tio\n                                                                                  inform\n\n\n                                                                                                                                        U.\n                                             Fund\n                                                                                                                                          S\n                                           Fund\n                                           Manager                                                                                            .B\n                                                                                                                                                 a\n                                                                                                                           6\n                                          Manager              Shipper\n                                                                                                                                                nk\n                                                                                                                                                     pa\n\n\n                                                               System\n                                                                                                                                                        y\n\n\n\n\n                                                                                              5                             No\n                                                                                                                                                       sc\n\n\n\n\n       request\n                                              ion                                                                              tif\n\n\n\n\n      Shipment\n                                                                                                                                   i\n                                                                                                                                                        ar\n                                                                                                                                                                                Process\n\n\n\n\n                                       f ormat                                                     Shi\n                                                                                                       p\n                                  i   n\n                                                                                                                                                           rie\n\n\n\n\n                                                                                                           me                de es b\n                                                                                                                                                               r\n\n\n\n\n                         ent                                                                                                     liv an\n                                                                                                                                                             s\n\n\n\n\n                                                                                                             nt i\n                  3 Shipm                                                                                         nfo                er k\n      2                                                  9                                                            rm\n                                                                                                                        atio           y of\n\n\n\n\n34\n                                                                                                                            n\n                                                                      U.S. B\n                                                                               ank in\n                                                                                        v oi c e\n\n                                                     9       U.S. Bank invoice\n                                                             Approves carrier payments\n\n     Transportation                                  7                                                                                        PowerTrack(R)\n        Officer                                                                                                                                U.S. Bank\n                    10\n                            Certifie\n                                     s                                                                                    nk\n                           invoice U.S. Bank                                                                     .   Ba\n                                   for pay                                                                   U.S\n                                          ment                                                11      ys\n                                                                                                    Pa\n                                                                                                                                Manual Process\n                                                                                                                                Electronic Process\n                                                                  DFAS\n                                                                                                                                Future Proposed Process\n                                                                  Center\n                                                                                                                                                                   Appendix B. Automated Transportation Payment\n\x0cImplementation Steps\n    1.   Requestor obtains the designated and funded LOA for the shipment from the\n         Funds Manager.\n\n    2.   Requestor provides shipment request to the Transportation Officer.\n\n    3.   Shipment information is entered into the shipper systems (Defense Supply\n         Services/Electronic Transportation Acquisition/Cargo Movement Operation\n         Systems) and carriers are assigned.\n\n    4.   Carrier picks up shipment and a hardcopy of the bill of lading.\n\n    5.   Shipment information is released to PowerTrack\xc2\xae from the shipper systems.\n\n    6.   The carrier delivers the shipment and enters notice of delivery into\n         PowerTrack\xc2\xae. The invoice is then generated using one of the following\n         invoicing methods.\n\n             Self Invoicing. The invoice is generated using the Transportation Officer\n             shipping data.\n\n             Matching. Two invoices are generated. One invoice is generated using\n             the Transportation Officer shipping data (self invoicing) and the other\n             invoice is generated using the carriers shipping data (carrier invoicing).\n             The invoices are matched electronically in PowerTrack\xc2\xae.\n\n             Carrier Invoicing. The invoice is generated using the carrier\xe2\x80\x99s shipping\n             data.\n\n    7.   Carrier payments are approved. U.S. Bank defines the method of approval in\n         PowerTrack\xc2\xae by carrier and the transportation office.\n\n             Manual Approval. Transportation Officer manually reviews and\n             approves carrier payment in PowerTrack\xc2\xae after the carrier posts the\n             notice of delivery in PowerTrack\xc2\xae.\n\n             Automatic Approval. PowerTrack\xc2\xae automatically approves carrier\n             payment without the Transportation Officer review once the carrier posts\n             the notice of delivery in PowerTrack\xc2\xae.\n\n    8.   U.S. Bank pays carrier based on approved invoice.\n\n    9.   Transportation office in coordination with the Funds Managers\xe2\x80\x99 review\n         U.S. Bank monthly invoice to ensure it reflects appropriate LOAs and actual\n         carrier charges.\n\n    10. Transportation Officer certifies U.S. Bank monthly invoice and submits it to\n        DFAS for payment to U.S. Bank.\n\n    11. DFAS pays U.S. Bank.\n\n\n\n                                         35\n\x0cAppendix C. Examples of Lines of Accounting\n   We randomly selected 15 LOAs for review. Nine LOAs were selected from the\n   Transportation Officer's certified invoices and the other six LOAs were selected\n   from the PowerTrack\xc2\xae system April 2000 invoices. Of the 15 LOAs reviewed,\n   9 LOAs were inaccurate.\n\n  Army Lines of Accounting. We reviewed five Army LOAs. Four of the LOAs\n  were inaccurate. For example, one LOA identified the expenditure of Army\n  Procurement funds belonging to the Army Tank Automotive Command that were\n  used for the Heavy Tactical Vehicles Program. The LOA also identified that the\n  funds were used for commercial land transportation. The program identification code\n  for the Heavy Tactical Vehicles Program and the fiscal year were incorrectly stated.\n  Transportation of Things object class for the Army Tank Automotive Command,\n  Heavy Tactical Vehicles program makes up less than 0.78 percent of the total\n  FY 2000 Heavy Tactical Vehicles Program budget.\n\n  Navy Lines of Accounting. We reviewed two different Navy LOAs that were\n  extracted from the PowerTrack\xc2\xae database. According to the Navy, the LOAs were\n  missing the accounting classification reference number. In addition, one LOA was\n  missing the standard document number and the other was missing the fiscal year.\n  The LOAs identified Operation and Maintenance Navy appropriation allocated to\n  the Naval Transportation Support Center which centrally manages the Naval Supply\n  System Command Operation and Maintenance funds for the Transportation of\n  Things object class. Transportation represents roughly 44 percent of the total\n  FY 2000 Naval Supply System Command total Operation and Maintenance budget.\n\n  Marine Corps Lines of Accounting. We reviewed one Marine Corps LOA, which\n  was incorrect because the fiscal year and transportation account code did not agree.\n  The fiscal year annotated in the LOA identified Headquarters, Marine Corps\n  Operation and Maintenance funds for FY 1999 for the Transportation of Things\n  object class. The transportation account code, MG50, was a FY 2000 code.\n  Nevertheless, the Transportation Officer certified the LOA and submitted it to DFAS\n  for payment. The Marine Corp funds for the Transportation of Things object class\n  were centrally managed and represented less than one percent of Headquarters,\n  Marine Corps Operation and Maintenance funds.\n\n  Air Force Lines of Accounting. We reviewed three Air Force LOAs and one was\n  inaccurate. The Transportation Officer certified an invoice with an inaccurate LOA.\n  The LOA misstated the Operation and Maintenance appropriation code. The LOA\n  identified the Air Combat Command, 1st Fighter Wing, Traffic Management\n  Squadron at Langley Air Force Base, FY 2000 Operation and Maintenance funds for\n  the Transportation of Things object class. For FY 2000, Transportation of Things\n  object class represents roughly .06 percent of the 1st Fighter Wing Operation and\n  Maintenance budget.\n\n  Defense Logistics Agency Lines of Accounting. We reviewed four LOAs belonging\n  to the Defense Logistics Agency working capital fund. According to the Defense\n  Logistics Agency, only one of the LOAs contained an error. The object class was\n  alphanumeric and not numeric. For FY 1999 and FY 2000 Transportation of Things\n  object class represented roughly 0.0025 percent and 0.0036 percent, respectively, of\n  Defense Logistics Agency working capital fund budget.\n\n                                        36\n\x0cAppendix D. Criteria\n   Section 3512, Title 31, United States Code. The U.S. Code requires agencies\n   to establish and maintain systems of accounting and internal controls to provide\n   adequate financial information the agency needs for management purposes. The\n   systems should also provide effective control over and accountability for assets\n   for which the agency is responsible.\n\n   Federal Financial Management Improvement Act (FFMIA). The FFMIA\n   requires agencies to implement and maintain financial management systems that\n   comply substantially with Federal financial management systems requirements,\n   applicable Federal accounting standards, and the Standard General Ledger at the\n   transaction level. In addition, the FFMIA states that financial management\n   systems include the financial systems and the financial portions of mixed systems\n   necessary to support financial management, including automated and manual\n   processes, procedures, controls, data, hardware, software, and support personnel\n   dedicated to the operation and maintenance of system functions.\n\n   Computer Security Act of 1987. The \xe2\x80\x9cComputer Security Act of 1987,\xe2\x80\x9d Public\n   Law 100-235, requires the establishment of security plans by agencies of Federal\n   computer systems that contain sensitive information. The Act defines a \xe2\x80\x9cFederal\n   computer system\xe2\x80\x9d as \xe2\x80\x9c. . . a computer system operated by a Federal agency or by\n   a contractor of a Federal agency or other organization that processes information\n   on behalf of the Federal Government to accomplish a Federal function . . .\xe2\x80\x9d. The\n   Act defines the term \xe2\x80\x9csensitive information\xe2\x80\x9d to mean \xe2\x80\x9c. . . any information, the\n   loss, misuse, or unauthorized access to or modification of which could adversely\n   affect the \xe2\x80\xa6 conduct of Federal programs, or the privacy to which individuals are\n   entitled under 5 U.S.C. 552a (the Privacy Act).\xe2\x80\x9d PowerTrack\xc2\xae, by virtue of its\n   application within DoD, is a Federal computer system and contains sensitive data,\n   and the requirements established in Public Law 100-235 are applicable.\n\n   Prompt Payment Act. OMB final rule on the Prompt Payment Act, 5 Code of\n   Federal Regulations, Part 1315, and OMB Circular No. A-123, \xe2\x80\x9cManagement\n   Accountability and Control,\xe2\x80\x9d which implements the Prompt Payment Act, requires\n   agency heads to issue internal procedures for monitoring the causes of late\n   payments and interest charges incurred. In addition, the agency head must ensure\n   that effective internal control systems are established and maintained.\n   Administrative activities required for payments to vendors under this part are\n   subject to periodic quality control validation to be conducted no less frequently than\n   once a year. Quality control processes will be used to confirm that controls are\n   effective and that processes are efficient. Each agency head is responsible for\n   establishing a quality control program in order to quantify payment performance,\n   qualify corrective actions, aid cash management decision-making, and estimate\n   payment performance if actual data are unavailable.\n\n   OMB Circular No. A-130. The OMB Circular No. A-130, \xe2\x80\x9cManagement of\n   Federal Information Resources,\xe2\x80\x9d February 8, 1996, establishes policy for the\n   management of Federal information resources and links automated information\n   security programs and management control systems established in accordance with\n   OMB Circular A-123. The established criteria require that the automated\n   information systems safeguard information against tampering, loss, and\n   destruction. Automated information systems are defined as an assembly of\n\n                                        37\n\x0ccomputer hardware, software, firmware, or some combination of the three,\nconfigured to collect, create, communicate, compute, disseminate, process, store,\nor control data or information and includes application and operating system\nsoftware. Because PowerTrack\xc2\xae is an integral part of the transportation payment\nprocess, the requirements established in OMB Circular A-130 are applicable.\n\nOMB Circular No. A-127. OMB Circular No. A-127, \xe2\x80\x9cFinancial Management\nSystems,\xe2\x80\x9d revised June 10, 1999, outlines the financial management system\nrequirements that are now statutorily required by the FFMIA. It prescribes policy\nand standards to follow in developing, operating, evaluating, and reporting on\nfinancial management systems. The financial management system requirements\nrequire compliance with security controls in accordance with the Computer Security\nAct of 1987 and OMB Circular A-130. It also requires a system of internal controls\nthat ensures resources are used consistent with laws, regulations, and policies;\nresources are safeguarded against waste, loss, and misuse; and reliable data are\nobtained, maintained, and disclosed, as prescribed in OMB Circular A-123.\nFinancial management systems are defined as information systems that collect,\nprocess, maintain, or transmit financial events to support financial management.\nPowerTrack\xc2\xae collects, maintains, and transmits financial data and is integral to the\nfinancial management of transportation and therefore is considered a financial\nmanagement system.\n\nOMB Circular No. A-123. OMB Circular No. A-123, \xe2\x80\x9cManagement\nAccountability and Control,\xe2\x80\x9d June 21, 1995, incorporates provisions of the Federal\nManagers\xe2\x80\x99 Financial Integrity Act. OMB Circular A-123 provides guidance to\nFederal managers on improving accountability and effectiveness as they reengineer\nagency operations and programs. It requires that management controls be\nestablished to ensure that laws and regulations are followed; intended results are\nachieved; programs and resources are protected from waste, fraud and\nmismanagement; and information is reliable, timely, and available for decision\nmaking.\n\nGAO Publication GAO/AIMD-00-21.3.1. GAO Publication\nGAO/AIMD-00-21.3.1, \xe2\x80\x9cStandards for Internal Control in the Federal\nGovernment,\xe2\x80\x9d November 1999, establishes the overall framework for controls in\nthe Federal Government. The five standards for internal controls are Control\nEnvironment, Risk Assessment, Control Activities, Information and\nCommunications, and Monitoring. The standards require the minimum level of\nquality acceptable for internal controls in the Government and provide the basis\nagainst which all are to be evaluated and applied to all aspects of an agency's\noperations.\n\nDoD Directive 5200.28. DoD Directive 5200.28, \xe2\x80\x9cSecurity Requirements for\nAutomated Information Systems,\xe2\x80\x9d March 21, 1988, applies to all automated\ninformation systems including application system software. DoD\nDirective 5200.28 incorporates requirements of OMB Circular A-130. DoD\nDirective 5200.28 states that each Component head shall assign a Designated\nApproving Authority that is responsible for the accreditation of each automated\ninformation system.\n\n       \xe2\x80\xa2   Accreditation is the formal declaration of the automated information\n           system or application to operate. The accreditation is based on a\n           certification process.\n\n\n                                    38\n\x0c       \xe2\x80\xa2   Certification is a comprehensive evaluation of the technical and non-\n           technical security features of an information technology system and\n           other safeguards made in support of the accreditation process.\n\nDoD Directive 5200.28 also outlines the minimum system security necessary for\nautomated information systems. Each automated information system should\nsafeguard information against tampering, loss, and destruction. Because\nPowerTrack\xc2\xae service is part of the DoD automated transportation payment process,\nthe automated information systems requirements established in DoD\nDirective 5200.28 are applicable.\n\nDoD Instruction 5200.40. DoD Instruction 5200.40, \xe2\x80\x9cDefense Information\nTechnology Certification and Accreditation Process,\xe2\x80\x9d December 30, 1997,\nimplements the system security requirements identified in Public Law 100-235,\n\xe2\x80\x9cComputer Security Act of 1987,\xe2\x80\x9d OMB Circular A-130, and DoD\nDirective 5200.28. DoD Instruction 5200.40 prescribes procedures for the\ncertification and accreditation process with an emphasis on the system life-cycle\nmanagement approach. In addition, it creates a process for the Certification and\nAccreditation of DoD systems. DoD Instruction 5200.40 is applicable to the DoD\nComponents and their contractors, including U.S. Bank, and any system\nincorporated into a DoD infrastructure, including PowerTrack\xc2\xae. It applies to the\nacquisition, operation, and sustainment of any DoD system that collects, stores,\ntransmits, or processes information including PowerTrack\xc2\xae.\n\n\n\n\n                                     39\n\x0cAppendix E. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n  Assistant Deputy Under Secretary of Defense (Transportation Policy)\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n\nDepartment of the Army\nAuditor General, Department of the Army\nCommander, Army Materiel Command\nCommander, Blue Grass Army Depot\nCommander, Fort Knox\n\nDepartment of the Navy\nCommandant, Marine Corps\nNaval Inspector General\nAuditor General, Department of the Navy\nCommander, Naval Air Systems Command\n  Commanding Officer, Naval Air Station Oceana\nCommander, Naval Supply Systems Command\n  Commanding Officer, Fleet and Industrial Supply Center Norfolk\nCommander, Space and Naval Warfare Systems Command\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nCommander, Air Force Materiel Command\nCommander, Langley Air Force Base\nCommander, Wright-Patterson Air Force Base\n\nUnified Command\nCommander in Chief, U.S. Transportation Command\n\n\n\n\n                                          40\n\x0cOther Defense Organizations\nDirector, Defense Contract Management Agency\n   Defense Contract Management District East\n      Defense Contract Management Command Dayton\n   Defense Contract Management District West\n      Defense Contract Management Command San Diego\nDirector, Defense Finance and Accounting Service\n   Cleveland\n      Norfolk\n   Columbus\n   Denver\n      Dayton\n   Indianapolis\n   Kansas City\nDirector, Defense Information Security Agency\nDirector, Defense Logistics Agency\n   Defense Distribution Center\n      Defense Depot Center Susquehanna\n      Defense Distribution Depot Center Norfolk\n      Defense Distribution Depot Center San Diego\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on Government\n  Reform\n\n\n\n\n                                          41\n\x0c\x0cUnder Secretary of Defense (Comptroller)\n Comments\n\n\n\n\n                       43\n\x0c44\n\x0c45\n\x0c46\n\x0cUnder Secretary of Defense for Acquisition,\n Technology, and Logistics Comments\n\n                                                 Final Report\n                                                  Reference\n\n\n\n\n                                              Revised and\n                                              renumbered as\n                                              Recommendation\n                                              B.1.a.\n\n\n\n\n                        47\n\x0c48\n\x0c       Final Report\n        Reference\n\n\n\n\n     Revised and\n     renumbered as\n     Recommendation\n     B.1.a.\n\n\n\n\n     Renumbered as\n     Recommendation\n     B.1.b.\n\n\n\n\n49\n\x0c50\n\x0c     Final Report\n      Reference\n\n\n\n\n51\n\x0cFinal Report\n Reference\n\n\n\n\nPage 7 & 8\n\n\n\n\n  Page 14\n\n\n\n\n               52\n\x0c     Final Report\n      Reference\n\n\n\n\n       Page 14\n\n\n\n\n       Page 16\n\n\n\n\n       Page 16\n\n\n\n\n       Page 18\n\n\n\n\n53\n\x0c  Final\n Report\nReference\n\n\n\n\nPage 19\n\n\n\nPage 20\n\n\n\n\nPage 22\n\n\n\n\nPage 26\n\n\n\n\nPage 26\n\n\n\n\nPage 29\n\n\n\n\n            54\n\x0c     Final Report\n      Reference\n\n\n\n\n       Page 35\n\n\n\n\n55\n\x0cAssistant Secretary of Defense (Command, Control,\n Communications, and Intelligence) Comments\n\n\n\n\n                       56\n\x0c57\n\x0cDepartment of the Navy Comments\n\n\n\n\n                     58\n\x0cDepartment of the Air Force Comments\n\n\n\n\n                      59\n\x0cAudit Team Members\nThe Finance and Accounting Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nPaul J. Granetto\nRichard B. Bird\nAddie M. Beima\nDanny B. Convis\nSuellen R. Brittingham\nDorothy Jones\nCarolyn J. Davis\nStacey A. Sowers\nShanell T. Deal\nBrentley B. Roberts\nJoyce L. Clayton\nInnocencio E. Penaranda\nWen-Tswan Chen\n\x0c"